CVE-2026-15305

N/A Unknown
Published: July 14, 2026 Modified: July 14, 2026
View on NVD

Description

Users were able to upload files with arbitrary MIME types to forms using FileUpload or ImageUpload elements with allowedMimeTypes configured. The restriction was not enforced server-side because the MimeTypeValidator was registered during form building before concrete form definition properties were applied, resulting in the validator never being added to the processing pipeline. This issue affects TYPO3 CMS versions 14.2.0-14.3.5.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://typo3.org/security/advisory/typo3-core-sa-2026-020
Source: f4fb688c-4412-4426-b4b8-421ecf27b14a

1 reference(s) from NVD

Quick Stats

CVSS v3 Score
N/A / 10.0
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)