High severityNVD Advisory· Published Jun 9, 2026· Updated Jun 9, 2026
CVE-2026-47346
CVE-2026-47346
Description
TYPO3 CMS Form Framework allows backend users with file write permissions to bypass upload restrictions, enabling SQL injection and privilege escalation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TYPO3 CMS Form Framework allows backend users with file write permissions to bypass upload restrictions, enabling SQL injection and privilege escalation.
Vulnerability
Backend users with file write permissions in TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30, and 14.0.0-14.3.2 could upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass the Form Framework's upload restrictions [3].
Exploitation
An attacker with backend user privileges and file write permissions can craft a malicious form definition file with a mixed-case extension. By uploading this file, they can bypass the Form Framework's upload restrictions, leading to the execution of arbitrary SQL statements [3].
Impact
Successful exploitation allows an attacker to execute arbitrary SQL statements, which can be used to escalate privileges by creating administrative backend user accounts [3].
Mitigation
Update to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, or 14.3.3 LTS. The vulnerability was fixed in commits referenced as [1] and [2].
References
AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
22030617e6f27[SECURITY] Properly detect .form.yaml suffixes in resource layer
6 files changed · +205 −2
typo3/sysext/core/Classes/Resource/Driver/LocalDriver.php+8 −1 modified@@ -296,7 +296,8 @@ public function getFolderInfoByIdentifier(string $folderIdentifier): array /** * Returns a string where any character not matching [.a-zA-Z0-9_-] is * substituted by '_' - * Trailing dots are removed + * Trailing dots are removed and characters are lowercased if using + * a case insensitive file system. * * Previously in \TYPO3\CMS\Core\Utility\File\BasicFileUtility::cleanFileName() * @@ -310,10 +311,16 @@ public function sanitizeFileName(string $fileName): string if ($GLOBALS['TYPO3_CONF_VARS']['SYS']['UTF8filesystem']) { // Allow ".", "-", 0-9, a-z, A-Z and everything beyond U+C0 (latin capital letter a with grave) $cleanFileName = (string)preg_replace('/[' . self::UNSAFE_FILENAME_CHARACTER_EXPRESSION . ']/u', '_', trim($fileName)); + if (!$this->isCaseSensitiveFileSystem()) { + $cleanFileName = mb_strtolower($cleanFileName, 'utf-8'); + } } else { $fileName = GeneralUtility::makeInstance(CharsetConverter::class)->utf8_char_mapping($fileName); // Replace unwanted characters with underscores $cleanFileName = (string)preg_replace('/[' . self::UNSAFE_FILENAME_CHARACTER_EXPRESSION . '\\xC0-\\xFF]/', '_', trim($fileName)); + if (!$this->isCaseSensitiveFileSystem()) { + $cleanFileName = strtolower($cleanFileName); + } } // Strip trailing dots and return $cleanFileName = rtrim($cleanFileName, '.');
typo3/sysext/form/Classes/Slot/FilePersistenceSlot.php+4 −1 modified@@ -172,7 +172,10 @@ private function buildCombinedIdentifier(FolderInterface $folder, string $fileNa private function isFormDefinition(string $identifier): bool { - return str_ends_with($identifier, FormPersistenceManagerInterface::FORM_DEFINITION_FILE_EXTENSION); + return str_ends_with( + mb_strtolower($identifier), + FormPersistenceManagerInterface::FORM_DEFINITION_FILE_EXTENSION + ); } private function isRecycleFolder(FolderInterface $folder): bool
typo3/sysext/form/Tests/Functional/Core/ExtendedFileUtilityTest.php+190 −0 added@@ -0,0 +1,190 @@ +<?php + +declare(strict_types=1); + +/* + * This file is part of the TYPO3 CMS project. + * + * It is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License, either version 2 + * of the License, or any later version. + * + * For the full copyright and license information, please read the + * LICENSE.txt file that was distributed with this source code. + * + * The TYPO3 project - inspiring people to share! + */ + +namespace TYPO3\CMS\Form\Tests\Functional\Core; + +use PHPUnit\Framework\Attributes\DataProvider; +use PHPUnit\Framework\Attributes\Test; +use TYPO3\CMS\Core\Database\ConnectionPool; +use TYPO3\CMS\Core\Http\UploadedFile; +use TYPO3\CMS\Core\Localization\LanguageServiceFactory; +use TYPO3\CMS\Core\Resource\File; +use TYPO3\CMS\Core\Utility\File\ExtendedFileUtility; +use TYPO3\CMS\Core\Utility\GeneralUtility; +use TYPO3\TestingFramework\Core\Functional\FunctionalTestCase; + +final class ExtendedFileUtilityTest extends FunctionalTestCase +{ + protected array $coreExtensionsToLoad = ['form']; + + protected function setUp(): void + { + parent::setUp(); + $this->importCSVDataSet(__DIR__ . '/../Fixtures/be_users.csv'); + $this->setUpBackendUser(1); + $GLOBALS['LANG'] = $this->get(LanguageServiceFactory::class)->create('en'); + + // ensure, temporary uploaded files are purged again + // @todo move this to the testing framework (which only reinitialized files for the first run) + $fileCommandsPath = $this->instancePath . '/fileadmin/file-commands'; + if (is_dir($fileCommandsPath)) { + GeneralUtility::rmdir($fileCommandsPath, true); + } + GeneralUtility::mkdir($fileCommandsPath); + } + + public static function fileCommandsAreProcessedDataProvider(): iterable + { + yield 'protected file suffix (case-insensitive storage)' => [ + 'caseSensitiveFileStorage' => false, + 'fileCommands' => [ + 'upload' => [ + 1 => ['target' => '1:/file-commands/', 'data' => 1], + ], + ], + 'uploadableFiles' => [ + 'upload_1' => [ + __DIR__ . '/../Fixtures/Files/temp-lowercase.form.yaml', + __DIR__ . '/../Fixtures/Files/temp-uppercase.FORM.YAML', + ], + ], + 'expectedResult' => [ + 'upload' => [ + // none of the uploaded files is supposed to be accepted + 0 => [], + ], + ], + ]; + yield 'protected file suffix (case-sensitive storage)' => [ + 'caseSensitiveFileStorage' => true, + 'fileCommands' => [ + 'upload' => [ + 1 => ['target' => '1:/file-commands/', 'data' => 1], + ], + ], + 'uploadableFiles' => [ + 'upload_1' => [ + __DIR__ . '/../Fixtures/Files/temp-lowercase.form.yaml', + __DIR__ . '/../Fixtures/Files/temp-uppercase.FORM.YAML', + ], + ], + 'expectedResult' => [ + 'upload' => [ + // none of the uploaded files is supposed to be accepted + 0 => [], + ], + ], + ]; + yield 'regular-file (case-sensitive storage)' => [ + 'caseSensitiveFileStorage' => true, + 'fileCommands' => [ + 'upload' => [ + 1 => ['target' => '1:/file-commands/', 'data' => 1], + ], + ], + 'uploadableFiles' => [ + 'upload_1' => [ + __DIR__ . '/../Fixtures/Files/regular-file.txt', + ], + ], + 'expectedResult' => [ + 'upload' => [ + // none of the uploaded files is supposed to be accepted + 0 => ['1:/file-commands/regular-file.txt'], + ], + ], + ]; + } + + /** + * Specific implementation for EXT:form of + * \TYPO3\CMS\Core\Tests\Functional\Utility\File\ExtendedFileUtilityTest::fileCommandsAreProcessed + */ + #[Test] + #[DataProvider('fileCommandsAreProcessedDataProvider')] + public function fileCommandsAreProcessed(bool $caseSensitiveFileStorage, array $fileCommands, array $uploadableFiles, array $expectedResult): void + { + $this->createDefaultFileStorage($caseSensitiveFileStorage); + $uploadedFiles = array_map( + fn(array|string $data): array|UploadedFile => is_array($data) + ? array_map($this->createUploadedFile(...), $data) + : $this->createUploadedFile($data), + $uploadableFiles + ); + + $extendedFileUtility = new ExtendedFileUtility(); + $extendedFileUtility->start($fileCommands, $uploadedFiles); + $result = $extendedFileUtility->processData(); + + self::assertSame($expectedResult, $this->normalizeProcessedDataResult($result)); + } + + private function createDefaultFileStorage(bool $caseSensitive): void + { + $caseSensitiveValue = $caseSensitive ? 1 : 0; + $configuration = <<<XML + <?xml version="1.0" encoding="utf-8" standalone="yes" ?> + <T3FlexForms> + <data> + <sheet index="sDEF"> + <language index="lDEF"> + <field index="basePath"><value index="vDEF">fileadmin/</value></field> + <field index="pathType"><value index="vDEF">relative</value></field> + <field index="caseSensitive"><value index="vDEF">{$caseSensitiveValue}</value></field> + </language> + </sheet> + </data> + </T3FlexForms> + XML; + $this->get(ConnectionPool::class) + ->getConnectionForTable('sys_file_storage') + ->insert('sys_file_storage', [ + 'uid' => 1, + 'pid' => 0, + 'name' => 'fileadmin/ (auto-created)', + 'processingfolder' => 'temp/assets/_processed_/', + 'driver' => 'Local', + 'is_browsable' => 1, + 'is_public' => 1, + 'is_writable' => 1, + 'is_online' => 1, + 'configuration' => $configuration, + ]); + } + + private function createUploadedFile(string $filePath): UploadedFile + { + $size = filesize($filePath); + $tempPath = GeneralUtility::tempnam('extended-file-utility-test'); + GeneralUtility::writeFile($tempPath, file_get_contents($filePath)); + // @todo use resource streams of `UploadedFile`, once it's fully supported in FAL + return new UploadedFile($tempPath, $size, UPLOAD_ERR_OK, basename($filePath)); + } + + private function normalizeProcessedDataResult(array $result): array + { + return array_map( + static fn(array $actionResult): array => array_map( + static fn(array|File|null $fileResult): array|string|null => is_array($fileResult) + ? array_map(static fn(File $file): string => $file->getCombinedIdentifier(), $fileResult) + : $fileResult?->getCombinedIdentifier(), + $actionResult + ), + $result + ); + } +}
typo3/sysext/form/Tests/Functional/Fixtures/Files/regular-file.txt+1 −0 added@@ -0,0 +1 @@ +foo
typo3/sysext/form/Tests/Functional/Fixtures/Files/temp-lowercase.form.yaml+1 −0 added@@ -0,0 +1 @@ +# temp.form.yaml
typo3/sysext/form/Tests/Functional/Fixtures/Files/temp-uppercase.FORM.YAML+1 −0 added@@ -0,0 +1 @@ +# temp.FORM.YAML
eb2b2251d903[SECURITY] Properly detect .form.yaml suffixes in resource layer
7 files changed · +292 −2
typo3/sysext/core/Classes/Resource/Driver/LocalDriver.php+8 −1 modified@@ -301,7 +301,8 @@ public function getFolderInfoByIdentifier(string $folderIdentifier): array /** * Returns a string where any character not matching [.a-zA-Z0-9_-] is * substituted by '_' - * Trailing dots are removed + * Trailing dots are removed and characters are lowercased if using + * a case insensitive file system. * * Previously in \TYPO3\CMS\Core\Utility\File\BasicFileUtility::cleanFileName() * @@ -320,10 +321,16 @@ public function sanitizeFileName(string $fileName, string $charset = 'utf-8'): s if ($GLOBALS['TYPO3_CONF_VARS']['SYS']['UTF8filesystem']) { // Allow ".", "-", 0-9, a-z, A-Z and everything beyond U+C0 (latin capital letter a with grave) $cleanFileName = (string)preg_replace('/[' . self::UNSAFE_FILENAME_CHARACTER_EXPRESSION . ']/u', '_', trim($fileName)); + if (!$this->isCaseSensitiveFileSystem()) { + $cleanFileName = mb_strtolower($cleanFileName, 'utf-8'); + } } else { $fileName = GeneralUtility::makeInstance(CharsetConverter::class)->specCharsToASCII($charset, $fileName); // Replace unwanted characters with underscores $cleanFileName = (string)preg_replace('/[' . self::UNSAFE_FILENAME_CHARACTER_EXPRESSION . '\\xC0-\\xFF]/', '_', trim($fileName)); + if (!$this->isCaseSensitiveFileSystem()) { + $cleanFileName = strtolower($cleanFileName); + } } // Strip trailing dots and return $cleanFileName = rtrim($cleanFileName, '.');
typo3/sysext/form/Classes/Slot/FilePersistenceSlot.php+4 −1 modified@@ -172,7 +172,10 @@ private function buildCombinedIdentifier(FolderInterface $folder, string $fileNa private function isFormDefinition(string $identifier): bool { - return str_ends_with($identifier, FormPersistenceManagerInterface::FORM_DEFINITION_FILE_EXTENSION); + return str_ends_with( + mb_strtolower($identifier), + FormPersistenceManagerInterface::FORM_DEFINITION_FILE_EXTENSION + ); } private function isRecycleFolder(FolderInterface $folder): bool
typo3/sysext/form/Tests/Functional/Core/ExtendedFileUtilityTest.php+236 −0 added@@ -0,0 +1,236 @@ +<?php + +declare(strict_types=1); + +/* + * This file is part of the TYPO3 CMS project. + * + * It is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License, either version 2 + * of the License, or any later version. + * + * For the full copyright and license information, please read the + * LICENSE.txt file that was distributed with this source code. + * + * The TYPO3 project - inspiring people to share! + */ + +namespace TYPO3\CMS\Form\Tests\Functional\Core; + +use PHPUnit\Framework\Attributes\DataProvider; +use PHPUnit\Framework\Attributes\Test; +use TYPO3\CMS\Core\Database\ConnectionPool; +use TYPO3\CMS\Core\Http\UploadedFile; +use TYPO3\CMS\Core\Localization\LanguageServiceFactory; +use TYPO3\CMS\Core\Resource\Enum\DuplicationBehavior; +use TYPO3\CMS\Core\Resource\File; +use TYPO3\CMS\Core\Resource\ResourceStorage; +use TYPO3\CMS\Core\Utility\File\ExtendedFileUtility; +use TYPO3\CMS\Core\Utility\GeneralUtility; +use TYPO3\CMS\Form\Tests\Functional\Fixtures\ResourceStorageUploadMock; +use TYPO3\TestingFramework\Core\Functional\FunctionalTestCase; + +final class ExtendedFileUtilityTest extends FunctionalTestCase +{ + protected array $coreExtensionsToLoad = ['form']; + + protected function setUp(): void + { + parent::setUp(); + $this->importCSVDataSet(__DIR__ . '/../Fixtures/be_users.csv'); + $this->setUpBackendUser(1); + $GLOBALS['LANG'] = $this->get(LanguageServiceFactory::class)->create('default'); + + // ensure, temporary uploaded files are purged again + // @todo move this to the testing framework (which only reinitialized files for the first run) + $fileCommandsPath = $this->instancePath . '/fileadmin/file-commands'; + if (is_dir($fileCommandsPath)) { + GeneralUtility::rmdir($fileCommandsPath, true); + } + GeneralUtility::mkdir($fileCommandsPath); + + // Configure ResourceStorage mock to overwrite the `is_uploaded_file` + // check which can not be mocked + $GLOBALS['TYPO3_CONF_VARS']['SYS']['Objects'][ResourceStorage::class] = [ + 'className' => ResourceStorageUploadMock::class, + ]; + GeneralUtility::flushInternalRuntimeCaches(); + } + + protected function tearDown(): void + { + unset($GLOBALS['TYPO3_CONF_VARS']['SYS']['Objects'][ResourceStorage::class]); + GeneralUtility::flushInternalRuntimeCaches(); + parent::tearDown(); + } + + public static function fileCommandsAreProcessedDataProvider(): iterable + { + yield 'protected file suffix (case-insensitive storage)' => [ + 'caseSensitiveFileStorage' => false, + 'fileCommands' => [ + 'upload' => [ + 1 => ['target' => '1:/file-commands/', 'data' => 1], + ], + ], + 'uploadableFiles' => [ + 'upload_1' => [ + __DIR__ . '/../Fixtures/Files/temp-lowercase.form.yaml', + __DIR__ . '/../Fixtures/Files/temp-uppercase.FORM.YAML', + ], + ], + 'expectedResult' => [ + 'upload' => [ + // none of the uploaded files is supposed to be accepted + 0 => [], + ], + ], + ]; + yield 'protected file suffix (case-sensitive storage)' => [ + 'caseSensitiveFileStorage' => true, + 'fileCommands' => [ + 'upload' => [ + 1 => ['target' => '1:/file-commands/', 'data' => 1], + ], + ], + 'uploadableFiles' => [ + 'upload_1' => [ + __DIR__ . '/../Fixtures/Files/temp-lowercase.form.yaml', + __DIR__ . '/../Fixtures/Files/temp-uppercase.FORM.YAML', + ], + ], + 'expectedResult' => [ + 'upload' => [ + // none of the uploaded files is supposed to be accepted + 0 => [], + ], + ], + ]; + yield 'regular-file (case-sensitive storage)' => [ + 'caseSensitiveFileStorage' => true, + 'fileCommands' => [ + 'upload' => [ + 1 => ['target' => '1:/file-commands/', 'data' => 1], + ], + ], + 'uploadableFiles' => [ + 'upload_1' => [ + __DIR__ . '/../Fixtures/Files/regular-file.txt', + ], + ], + 'expectedResult' => [ + 'upload' => [ + // none of the uploaded files is supposed to be accepted + 0 => ['1:/file-commands/regular-file.txt'], + ], + ], + ]; + } + + /** + * Specific implementation for EXT:form of + * \TYPO3\CMS\Core\Tests\Functional\Utility\File\ExtendedFileUtilityTest::fileCommandsAreProcessed + */ + #[Test] + #[DataProvider('fileCommandsAreProcessedDataProvider')] + public function fileCommandsAreProcessed(bool $caseSensitiveFileStorage, array $fileCommands, array $uploadableFiles, array $expectedResult): void + { + $this->createDefaultFileStorage($caseSensitiveFileStorage); + $uploadedFiles = array_map( + fn(array|string $data): array|UploadedFile => is_array($data) + ? array_map($this->createUploadedFile(...), $data) + : $this->createUploadedFile($data), + $uploadableFiles + ); + + $this->mockFilesArrayFromUploadedFiles($uploadedFiles); + + $extendedFileUtility = new ExtendedFileUtility(); + $extendedFileUtility->setExistingFilesConflictMode(DuplicationBehavior::getDefaultDuplicationBehaviour()); + $extendedFileUtility->start($fileCommands); + $result = $extendedFileUtility->processData(); + + self::assertSame($expectedResult, $this->normalizeProcessedDataResult($result)); + } + + /** + * @param array<string, UploadedFile|list<UploadedFile>> $uploadedFiles + */ + private function mockFilesArrayFromUploadedFiles(array $uploadedFiles): void + { + $_FILES = []; + foreach ($uploadedFiles as $name => $files) { + if ($files instanceof UploadedFile) { + $file = $files; + $_FILES[$name]['name'] = $file->getClientFilename(); + $_FILES[$name]['tmp_name'] = $file->getTemporaryFileName(); + $_FILES[$name]['error'] = $file->getError(); + $_FILES[$name]['size'] = $file->getSize(); + $_FILES[$name]['type'] = ''; + } else { + foreach ($files as $index => $file) { + $_FILES[$name]['name'][$index] = $file->getClientFilename(); + $_FILES[$name]['tmp_name'][$index] = $file->getTemporaryFileName(); + $_FILES[$name]['error'][$index] = $file->getError(); + $_FILES[$name]['size'][$index] = $file->getSize(); + $_FILES[$name]['type'][$index] = ''; + } + } + } + } + + private function createDefaultFileStorage(bool $caseSensitive): void + { + $caseSensitiveValue = $caseSensitive ? 1 : 0; + $configuration = <<<XML + <?xml version="1.0" encoding="utf-8" standalone="yes" ?> + <T3FlexForms> + <data> + <sheet index="sDEF"> + <language index="lDEF"> + <field index="basePath"><value index="vDEF">fileadmin/</value></field> + <field index="pathType"><value index="vDEF">relative</value></field> + <field index="caseSensitive"><value index="vDEF">{$caseSensitiveValue}</value></field> + </language> + </sheet> + </data> + </T3FlexForms> + XML; + $this->get(ConnectionPool::class) + ->getConnectionForTable('sys_file_storage') + ->insert('sys_file_storage', [ + 'uid' => 1, + 'pid' => 0, + 'name' => 'fileadmin/ (auto-created)', + 'processingfolder' => 'temp/assets/_processed_/', + 'driver' => 'Local', + 'is_browsable' => 1, + 'is_public' => 1, + 'is_writable' => 1, + 'is_online' => 1, + 'configuration' => $configuration, + ]); + } + + private function createUploadedFile(string $filePath): UploadedFile + { + $size = filesize($filePath); + $tempPath = GeneralUtility::tempnam('extended-file-utility-test'); + GeneralUtility::writeFile($tempPath, file_get_contents($filePath)); + // @todo use resource streams of `UploadedFile`, once it's fully supported in FAL + return new UploadedFile($tempPath, $size, UPLOAD_ERR_OK, basename($filePath)); + } + + private function normalizeProcessedDataResult(array $result): array + { + return array_map( + static fn(array $actionResult): array => array_map( + static fn(array|File|null $fileResult): array|string|null => is_array($fileResult) + ? array_map(static fn(File $file): string => $file->getCombinedIdentifier(), $fileResult) + : $fileResult?->getCombinedIdentifier(), + $actionResult + ), + $result + ); + } +}
typo3/sysext/form/Tests/Functional/Fixtures/Files/regular-file.txt+1 −0 added@@ -0,0 +1 @@ +foo
typo3/sysext/form/Tests/Functional/Fixtures/Files/temp-lowercase.form.yaml+1 −0 added@@ -0,0 +1 @@ +# temp.form.yaml
typo3/sysext/form/Tests/Functional/Fixtures/Files/temp-uppercase.FORM.YAML+1 −0 added@@ -0,0 +1 @@ +# temp.FORM.YAML
typo3/sysext/form/Tests/Functional/Fixtures/ResourceStorageUploadMock.php+41 −0 added@@ -0,0 +1,41 @@ +<?php + +declare(strict_types=1); + +/* + * This file is part of the TYPO3 CMS project. + * + * It is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License, either version 2 + * of the License, or any later version. + * + * For the full copyright and license information, please read the + * LICENSE.txt file that was distributed with this source code. + * + * The TYPO3 project - inspiring people to share! + */ + +namespace TYPO3\CMS\Form\Tests\Functional\Fixtures; + +use TYPO3\CMS\Core\Resource\Exception\UploadSizeException; +use TYPO3\CMS\Core\Resource\ResourceStorage; +use TYPO3\CMS\Core\Utility\GeneralUtility; + +class ResourceStorageUploadMock extends ResourceStorage +{ + protected function assureFileUploadPermissions($localFilePath, $targetFolder, $targetFileName, $uploadedFileSize) + { + // HEADS UP: This condition is disabled to allow mocked $_FILES + //if (!is_uploaded_file($localFilePath)) { + // throw new UploadException('The upload has failed, no uploaded file found!', 1322110455); + //} + + // Max upload size (kb) for files. + $maxUploadFileSize = GeneralUtility::getMaxUploadFileSize() * 1024; + if ($maxUploadFileSize > 0 && $uploadedFileSize >= $maxUploadFileSize) { + unlink($localFilePath); + throw new UploadSizeException('The uploaded file exceeds the size-limit of ' . $maxUploadFileSize . ' bytes', 1322110042); + } + $this->assureFileAddPermissions($targetFolder, $targetFileName); + } +}
Vulnerability mechanics
Root cause
"The Form Framework's upload restriction did not properly validate file extensions, allowing mixed-case extensions to bypass checks."
Attack vector
Backend users with file write permissions can upload form definition files with mixed-case extensions, such as `.FORM.YAML`. This bypasses the intended upload restrictions. A maliciously crafted form definition file can then be used to execute arbitrary SQL statements.
Affected code
The vulnerability lies within the `ExtendedFileUtility` class, specifically in how it handles file uploads and validates file extensions for form definition files. The patches address this by refining the extension detection mechanism within this class.
What the fix does
The patches modify the file extension validation logic to correctly handle case-insensitivity. This ensures that files with mixed-case extensions like `.FORM.YAML` are no longer accepted, preventing the upload of malicious form definition files and thus mitigating the SQL injection vulnerability.
Preconditions
- authThe attacker must be a backend user with file write permissions.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
1- TYPO3 CMS: Thirteen Backend Vulnerabilities Disclosed on June 9, 2026Vypr Intelligence · Jun 9, 2026