Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible public form, no credentials needed, no scope change; integrity impact is low (unrestricted file type stored), no confidentiality or availability impact confirmed.
Primary rating from Vendor (f4fb688c-4412-4426-b4b8-421ecf27b14a).
CVSS VectorVendor: f4fb688c-4412-4426-b4b8-421ecf27b14a
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Users were able to upload files with arbitrary MIME types to forms using FileUpload or ImageUpload elements with allowedMimeTypes configured. The restriction was not enforced server-side because the MimeTypeValidator was registered during form building before concrete form definition properties were applied, resulting in the validator never being added to the processing pipeline. This issue affects TYPO3 CMS versions 14.2.0-14.3.5.
AnalysisAI
MIME type restriction bypass in TYPO3 CMS 14.2.0-14.3.5 allows unauthenticated attackers to upload files of arbitrary MIME types through forms configured with FileUpload or ImageUpload elements, circumventing the allowedMimeTypes restriction entirely. The flaw originates from a lifecycle ordering defect in the server-side form framework: MimeTypeValidator is registered before concrete form definition properties are applied, so it is absent from the validation pipeline at runtime. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target TYPO3 instance runs version 14.2.0-14.3.5 AND has at least one form deployed via the TYPO3 Form Framework that includes a FileUpload or ImageUpload form element with the allowedMimeTypes property explicitly set to a non-empty list. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-supplied CVSS 4.0 score is 6.3 (Medium) with vector AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker visits a publicly accessible TYPO3 site that hosts a contact or registration form with a file upload field restricted to images (e.g., allowedMimeTypes: image/jpeg, image/png). Using a tool such as curl or Burp Suite, they intercept the multipart/form-data request and replace the Content-Type header and file content with an HTML or SVG file containing embedded JavaScript, then submit the form. … |
| Remediation | The primary remediation is to upgrade TYPO3 CMS to a version beyond 14.3.5; the exact patched release version is not independently confirmed from available data - consult the vendor advisory at https://typo3.org/security/advisory/typo3-core-sa-2026-020 for the authoritative fix version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-351 – Insufficient Type Distinction
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43671
GHSA-p8pr-442q-qf8g