CVE-2026-15305
Received Received - Intake

Arbitrary File Upload in TYPO3 CMS

Vulnerability report for CVE-2026-15305, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-14

Last updated on: 2026-07-14

Assigner: TYPO3

Description

Users were able to upload files with arbitrary MIME types to forms using FileUpload or ImageUpload elements with allowedMimeTypes configured. The restriction was not enforced server-side because the MimeTypeValidator was registered during form building before concrete form definition properties were applied, resulting in the validator never being added to the processing pipeline. This issue affects TYPO3 CMS versions 14.2.0-14.3.5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-14
Last Modified
2026-07-14
Generated
2026-07-14
AI Q&A
2026-07-14
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
typo3 typo3_cms 14.2.0
typo3 typo3_cms to 14.3.5 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-351 The product does not properly distinguish between different types of elements in a way that leads to insecure behavior.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-15305 is a vulnerability in the TYPO3 CMS Form Framework affecting versions 14.2.0 to 14.3.5. It allows users to upload files with arbitrary MIME types through FileUpload or ImageUpload form elements, even when allowedMimeTypes is configured to restrict specific MIME types.

The issue occurs because the MimeTypeValidator, which is supposed to enforce server-side restrictions on allowed MIME types, was not properly added to the form processing pipeline. This happened because the validator was registered during form building before the concrete form definition properties (like allowedMimeTypes) were applied, causing the validation to be bypassed.

Impact Analysis

This vulnerability can impact you in several ways:

  • Malicious file uploads: Attackers could upload files with harmful content (e.g., malware, scripts, or executables) disguised as harmless MIME types, potentially compromising your system or network.
  • Data breaches: If sensitive data is stored or processed on the affected system, unauthorized file uploads could lead to data leaks or unauthorized access.
  • System compromise: Uploaded malicious files could be used to execute arbitrary code, leading to full system compromise or unauthorized control over the affected TYPO3 instance.
  • Reputation damage: If the vulnerability is exploited, it could harm your organization's reputation, especially if customer or user data is affected.
Compliance Impact

This vulnerability can affect compliance with common standards and regulations in the following ways:

  • GDPR (General Data Protection Regulation): If the vulnerability leads to unauthorized access or exposure of personal data, it could violate GDPR requirements for data protection and security. Organizations may face fines or legal consequences for failing to protect personal data adequately.
  • HIPAA (Health Insurance Portability and Accountability Act): For organizations handling protected health information (PHI), this vulnerability could result in unauthorized access to sensitive health data, violating HIPAA's security and privacy rules. Non-compliance could lead to penalties and legal action.
  • PCI DSS (Payment Card Industry Data Security Standard): If the affected system processes payment card data, this vulnerability could lead to unauthorized access or data breaches, violating PCI DSS requirements for secure handling of cardholder data.
  • ISO 27001: This standard requires organizations to implement controls for information security. The vulnerability represents a failure to enforce proper file upload restrictions, which could be seen as a non-conformance with ISO 27001 requirements for secure data handling.

To maintain compliance, organizations should address the vulnerability promptly by applying the recommended patch or update to the affected TYPO3 CMS version.

Detection Guidance

Detecting this vulnerability requires checking if your TYPO3 CMS instance is running an affected version (14.2.0 to 14.3.4) and verifying whether FileUpload or ImageUpload form elements with allowedMimeTypes configurations are present without proper server-side validation.

  • Check the TYPO3 CMS version: Log in to the TYPO3 backend, navigate to the 'System' module, and review the version under 'About TYPO3.' Alternatively, inspect the composer.json or typo3/sysext/core/composer.json file for the version number.
  • Review form configurations: Look for forms in the TYPO3 backend under 'Forms' that use FileUpload or ImageUpload elements with allowedMimeTypes settings. Ensure these forms are not accepting unexpected file types.
  • Test file uploads: Attempt to upload files with MIME types not listed in allowedMimeTypes. If the upload succeeds, the system may be vulnerable.
  • Inspect server logs: Check web server logs for unusual file uploads or requests to forms containing FileUpload or ImageUpload elements.
Mitigation Strategies

The primary mitigation for this vulnerability is to update TYPO3 CMS to the latest patched version. If an immediate update is not possible, apply the following steps to reduce risk.

  • Update TYPO3 CMS: Upgrade to version 14.3.5 LTS or later, as the issue was fixed in this release. Follow the official TYPO3 update guide for instructions.
  • Disable vulnerable forms: Temporarily disable or remove forms that use FileUpload or ImageUpload elements until the update is applied.
  • Implement additional server-side checks: Manually validate file MIME types on the server side using custom scripts or configurations until the official patch is applied.
  • Monitor file uploads: Enable logging for file uploads and review them regularly for suspicious activity.
  • Restrict file upload permissions: Limit file upload directories to trusted users and ensure they are not executable or accessible to unauthorized parties.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15305. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart