CVE-2026-15305: CWE-351 Insufficient Type Distinction in TYPO3 TYPO3 CMS
Users were able to upload files with arbitrary MIME types to forms using FileUpload or ImageUpload elements with allowedMimeTypes configured. The restriction was not enforced server-side because the MimeTypeValidator was registered during form building before concrete form definition properties were applied, resulting in the validator never being added to the processing pipeline. This issue affects TYPO3 CMS versions 14.2.0-14.3.5.
AI Analysis
Technical Summary
CVE-2026-15305 is a medium severity vulnerability in TYPO3 CMS affecting versions 14.2.0 up to but not including 14.3.5. The issue arises from insufficient type distinction (CWE-351) in the file upload validation process. Specifically, the MimeTypeValidator intended to enforce allowed MIME types on FileUpload or ImageUpload form elements is registered prematurely during form construction, before the concrete form definitions are applied. This leads to the validator never being added to the server-side processing pipeline, allowing users to bypass MIME type restrictions and upload files with arbitrary MIME types.
Potential Impact
The vulnerability allows attackers or users to upload files with arbitrary MIME types to TYPO3 CMS forms that are configured to restrict uploads by MIME type. This could lead to unauthorized file uploads that may bypass intended security controls. The CVSS 4.0 base score is 6.3 (medium severity), reflecting network attack vector, low attack complexity, no privileges or user interaction required, but limited impact on confidentiality and availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch links are provided at this time. Until a patch is available, administrators should consider additional manual validation or restrictions on file uploads to mitigate the risk.
CVE-2026-15305: CWE-351 Insufficient Type Distinction in TYPO3 TYPO3 CMS
Description
Users were able to upload files with arbitrary MIME types to forms using FileUpload or ImageUpload elements with allowedMimeTypes configured. The restriction was not enforced server-side because the MimeTypeValidator was registered during form building before concrete form definition properties were applied, resulting in the validator never being added to the processing pipeline. This issue affects TYPO3 CMS versions 14.2.0-14.3.5.
CVSS v4.0
Score 6.3medium
Affected software
pkg:composer/typo3/cms-formRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-15305 is a medium severity vulnerability in TYPO3 CMS affecting versions 14.2.0 up to but not including 14.3.5. The issue arises from insufficient type distinction (CWE-351) in the file upload validation process. Specifically, the MimeTypeValidator intended to enforce allowed MIME types on FileUpload or ImageUpload form elements is registered prematurely during form construction, before the concrete form definitions are applied. This leads to the validator never being added to the server-side processing pipeline, allowing users to bypass MIME type restrictions and upload files with arbitrary MIME types.
Potential Impact
The vulnerability allows attackers or users to upload files with arbitrary MIME types to TYPO3 CMS forms that are configured to restrict uploads by MIME type. This could lead to unauthorized file uploads that may bypass intended security controls. The CVSS 4.0 base score is 6.3 (medium severity), reflecting network attack vector, low attack complexity, no privileges or user interaction required, but limited impact on confidentiality and availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch links are provided at this time. Until a patch is available, administrators should consider additional manual validation or restrictions on file uploads to mitigate the risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- TYPO3
- Date Reserved
- 2026-07-09T16:25:43.306Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a56374568715ace438e9d3d
Added to database: 07/14/2026, 13:19:01 UTC
Last enriched: 07/14/2026, 13:33:33 UTC
Last updated: 07/14/2026, 13:48:12 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.