CVE-2026-15305
CWE-351Published: July 14, 2026· Updated: Jul 15, 2026
Official Description
Users were able to upload files with arbitrary MIME types to forms using FileUpload or ImageUpload elements with allowedMimeTypes configured. The restriction was not enforced server-side because the MimeTypeValidator was registered during form building before concrete form definition properties were applied, resulting in the validator never being added to the processing pipeline. This issue affects TYPO3 CMS versions 14.2.0-14.3.4.
Technical Analysis
CVE-2026-15305 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.
CVSS v3.1 Vector Breakdown
Exploit & PoC Resources
All References (3)
Quick Facts
Related CVEs (CWE-351)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-15305 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts