CVE-2026-15305 in TYPO3
Summary
by MITRE • 07/14/2026
Users were able to upload files with arbitrary MIME types to forms using FileUpload or ImageUpload elements with allowedMimeTypes configured. The restriction was not enforced server-side because the MimeTypeValidator was registered during form building before concrete form definition properties were applied, resulting in the validator never being added to the processing pipeline. This issue affects TYPO3 CMS versions 14.2.0-14.3.5.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/14/2026
This vulnerability represents a critical server-side validation bypass that undermines the security controls designed to restrict file uploads within TYPO3 CMS installations. The flaw occurs due to improper validator registration timing during the form building process, creating a scenario where MIME type restrictions are effectively rendered useless. When users interact with FileUpload or ImageUpload form elements configured with allowedMimeTypes, the system should enforce strict validation to prevent malicious file uploads. However, the MimeTypeValidator is registered at an inappropriate stage in the form construction lifecycle, specifically before concrete form definition properties are applied. This timing issue results in the validator never being properly integrated into the processing pipeline, leaving the upload functionality completely vulnerable to arbitrary file type submissions.
The technical implementation problem stems from a fundamental flaw in TYPO3's form validation architecture where the validator registration mechanism operates asynchronously with respect to form configuration application. During normal operation, the system should validate that uploaded files conform to the specified MIME types before accepting them into the processing pipeline. The MimeTypeValidator, which is designed to enforce these restrictions, becomes orphaned during the form building phase when it's registered prior to the concrete properties being applied to the form definition. This creates a race condition where validation logic exists but is never executed against actual upload requests, rendering the entire security control ineffective.
The operational impact of this vulnerability extends beyond simple file type restriction bypasses and represents a significant risk to TYPO3 CMS installations across versions 14.2.0 through 14.3.5. Attackers can exploit this weakness to upload malicious files with potentially dangerous MIME types that would normally be blocked by the configured restrictions. This could enable arbitrary code execution, cross-site scripting attacks, or other malicious activities depending on how the uploaded files are processed within the application. The vulnerability particularly affects web applications that rely heavily on user-uploaded content and implement strict MIME type controls as part of their security posture, creating a window for attackers to circumvent these protections entirely.
From a cybersecurity perspective, this vulnerability aligns with CWE-693 Protection Mechanism Failure, specifically addressing inadequate validation mechanisms that fail to properly enforce access control restrictions. The issue also maps to ATT&CK technique T1505.003 Exploitation for Execution, where attackers leverage application vulnerabilities to execute malicious code through file uploads. The root cause demonstrates poor security architecture design where validation controls are not properly integrated into the application's processing pipeline, creating a persistent security gap that can be exploited across multiple attack vectors.
Organizations affected by this vulnerability should immediately implement mitigations including updating to patched versions of TYPO3 CMS, implementing additional server-side validation layers, and conducting comprehensive security reviews of all file upload functionality. The recommended approach involves ensuring proper validator registration timing within the application framework, implementing redundant validation checks, and establishing monitoring controls to detect unauthorized file uploads. Additionally, organizations should consider deploying web application firewalls with MIME type enforcement capabilities as defensive measures while awaiting official patches to address the underlying architectural flaw in the form building and validation process.