{"api_version":"1","generated_at":"2026-07-17T07:45:19+00:00","cve":"CVE-2026-15305","urls":{"html":"https://cve.report/CVE-2026-15305","api":"https://cve.report/api/cve/CVE-2026-15305.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-15305","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-15305"},"summary":{"title":"TYPO3 CMS - Unrestricted File Upload in Form Framework","description":"Users were able to upload files with arbitrary MIME types to forms using FileUpload or ImageUpload elements with allowedMimeTypes configured. The restriction was not enforced server-side because the MimeTypeValidator was registered during form building before concrete form definition properties were applied, resulting in the validator never being added to the processing pipeline. This issue affects TYPO3 CMS versions 14.2.0-14.3.4.","state":"PUBLISHED","assigner":"TYPO3","published_at":"2026-07-14 13:18:16","updated_at":"2026-07-15 21:00:44"},"problem_types":["CWE-351","CWE-351 CWE-351 Insufficient Type Distinction"],"metrics":[{"version":"4.0","source":"f4fb688c-4412-4426-b4b8-421ecf27b14a","type":"Secondary","score":"6.3","severity":"MEDIUM","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":6.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}},{"version":"4.0","source":"CNA","type":"CVSS","score":"6.3","severity":"MEDIUM","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N","data":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"PRESENT","attackVector":"NETWORK","baseScore":6.3,"baseSeverity":"MEDIUM","exploitMaturity":"NOT_DEFINED","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"LOW","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnerabilityResponseEffort":"NOT_DEFINED"}}],"references":[{"url":"https://github.com/TYPO3/typo3/commit/cfda21050398eb145211a4fa6f9988f10e43e10b","name":"https://github.com/TYPO3/typo3/commit/cfda21050398eb145211a4fa6f9988f10e43e10b","refsource":"f4fb688c-4412-4426-b4b8-421ecf27b14a","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://typo3.org/security/advisory/typo3-core-sa-2026-020","name":"https://typo3.org/security/advisory/typo3-core-sa-2026-020","refsource":"f4fb688c-4412-4426-b4b8-421ecf27b14a","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/TYPO3/typo3/commit/817ad41cc9dd28aac0fc4d0fe16fc25d46dd554a","name":"https://github.com/TYPO3/typo3/commit/817ad41cc9dd28aac0fc4d0fe16fc25d46dd554a","refsource":"f4fb688c-4412-4426-b4b8-421ecf27b14a","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-15305","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-15305","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"TYPO3","product":"TYPO3 CMS","version":"affected 14.2.0 14.3.5 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Josua Vogel","lang":"en"},{"source":"CNA","value":"Oliver Hader","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"15305","cve":"CVE-2026-15305","epss":"0.001740000","percentile":"0.070320000","score_date":"2026-07-16","updated_at":"2026-07-17 00:05:19"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-15305","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-07-14T13:26:13.647808Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-07-14T13:26:21.743Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"collectionURL":"https://packagist.org","defaultStatus":"unaffected","modules":["Form Framework"],"packageName":"typo3/cms-form","product":"TYPO3 CMS","repo":"https://github.com/TYPO3/typo3","vendor":"TYPO3","versions":[{"lessThan":"14.3.5","status":"affected","version":"14.2.0","versionType":"semver"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*","versionEndExcluding":"14.3.5","versionStartIncluding":"14.2.0","vulnerable":true}],"negate":false,"operator":"OR"}],"operator":"OR"}],"credits":[{"lang":"en","type":"remediation developer","value":"Josua Vogel"},{"lang":"en","type":"remediation developer","value":"Oliver Hader"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Users were able to upload files with arbitrary MIME types to forms using <code>FileUpload</code> or <code>ImageUpload</code> elements with <code>allowedMimeTypes</code> configured. The restriction was not enforced server-side because the <code>MimeTypeValidator</code> was registered during form building before concrete form definition properties were applied, resulting in the validator never being added to the processing pipeline. This issue affects TYPO3 CMS versions 14.2.0-14.3.4."}],"value":"Users were able to upload files with arbitrary MIME types to forms using FileUpload or ImageUpload elements with allowedMimeTypes configured. The restriction was not enforced server-side because the MimeTypeValidator was registered during form building before concrete form definition properties were applied, resulting in the validator never being added to the processing pipeline. This issue affects TYPO3 CMS versions 14.2.0-14.3.4."}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"PRESENT","attackVector":"NETWORK","baseScore":6.3,"baseSeverity":"MEDIUM","exploitMaturity":"NOT_DEFINED","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"LOW","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-351","description":"CWE-351 Insufficient Type Distinction","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-15T12:26:56.912Z","orgId":"f4fb688c-4412-4426-b4b8-421ecf27b14a","shortName":"TYPO3"},"references":[{"tags":["vendor-advisory"],"url":"https://typo3.org/security/advisory/typo3-core-sa-2026-020"},{"name":"Git commit of main branch","tags":["patch"],"url":"https://github.com/TYPO3/typo3/commit/817ad41cc9dd28aac0fc4d0fe16fc25d46dd554a"},{"name":"Git commit of 14.3 branch","tags":["patch"],"url":"https://github.com/TYPO3/typo3/commit/cfda21050398eb145211a4fa6f9988f10e43e10b"}],"source":{"discovery":"UNKNOWN"},"title":"TYPO3 CMS - Unrestricted File Upload in Form Framework","x_generator":{"engine":"Vulnogram 1.0.1"}}},"cveMetadata":{"assignerOrgId":"f4fb688c-4412-4426-b4b8-421ecf27b14a","assignerShortName":"TYPO3","cveId":"CVE-2026-15305","datePublished":"2026-07-14T12:45:10.996Z","dateReserved":"2026-07-09T16:25:43.306Z","dateUpdated":"2026-07-15T12:26:56.912Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-14 13:18:16","lastModifiedDate":"2026-07-15 21:00:44","problem_types":["CWE-351","CWE-351 CWE-351 Insufficient Type Distinction"],"metrics":{"cvssMetricV40":[{"source":"f4fb688c-4412-4426-b4b8-421ecf27b14a","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":6.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-14T13:26:13.647808Z","id":"CVE-2026-15305","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"15305","Ordinal":"1","Title":"TYPO3 CMS - Unrestricted File Upload in Form Framework","CVE":"CVE-2026-15305","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"15305","Ordinal":"1","NoteData":"Users were able to upload files with arbitrary MIME types to forms using FileUpload or ImageUpload elements with allowedMimeTypes configured. The restriction was not enforced server-side because the MimeTypeValidator was registered during form building before concrete form definition properties were applied, resulting in the validator never being added to the processing pipeline. This issue affects TYPO3 CMS versions 14.2.0-14.3.4.","Type":"Description","Title":"TYPO3 CMS - Unrestricted File Upload in Form Framework"}]}}}