Back to overview

CVE-2026-15305

MEDIUM
6.3
CVSS 4.0
Description
Users were able to upload files with arbitrary MIME types to forms using FileUpload or ImageUpload elements with allowedMimeTypes configured. The restriction was not enforced server-side because the MimeTypeValidator was registered during form building before concrete form definition properties were applied, resulting in the validator never being added to the processing pipeline. This issue affects TYPO3 CMS versions 14.2.0-14.3.5.

Metadata

CVE ID
CVE-2026-15305
State
PUBLISHED
Assigner
TYPO3
Reserved
2026-07-09 16:25 UTC
Published
2026-07-14 12:45 UTC
Last updated
2026-07-14 13:26 UTC
Primary CWE
CWE-351
CWE-351 Insufficient Type Distinction
Vendor / Product
TYPO3 / TYPO3 CMS
Sources
cve.org  ·  NVD

Severity & Metrics

6.3 MEDIUM CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
TYPO3 TYPO3 CMS 14.2.0 < 14.3.5
Weakness (CWE)
CWESourceDescription
CWE-351 cna CWE-351 Insufficient Type Distinction
CVSS scores (1)
ScoreSeverityVersionSourceVector
6.3 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
Back to overview