TYPO3 12.4.46—What’s Changed?

Released: June 9, 2026
Update type: Security release

TYPO3 12.4.46 is a critical security release addressing multiple vulnerabilities in file handling, access control, and deserialization. This release fixes 11 security issues including path traversal vulnerabilities, permission bypasses, open redirection, and improper file access validation. All users should update immediately.

Security Fixes

  • Deserialization vulnerabilities mitigated — Fixed critical deserialization flaws that could lead to remote code execution.
  • Path traversal protection improved — Fixed path prefix confusion in isAllowedAbsPath to prevent unauthorized file access.
  • File access validation enhanced — Added proper permission checks before displaying file metadata and when accessing files in FileDownloadController.
  • Form file extension handling secured — Properly validated .form.yaml file extensions in both form handling and resource layer to prevent unauthorized access.
  • Clipboard security hardened — Added record and file access validation when adding items to the clipboard.
  • Open redirection vulnerability fixed — Improved URL sanitization in GeneralUtility::sanitizeLocalUrl to prevent malicious redirects.
  • Record undelete permissions enforced — Added proper permission validation when restoring deleted records.
  • Mount folder protection strengthened — Blocked destructive write actions on mount folders to prevent unauthorized modifications.
  • HTML sanitizer updated — Upgraded TYPO3/html-sanitizer to version 2.3.2 with additional security improvements.

Backend & Administration

  • Site Configuration security improved — Removed f:format.raw from returnUrl field in SiteConfiguration to prevent XSS vulnerabilities.

Technical Changes

  • DeserializationService extracted — Refactored deserialization logic into a dedicated service for better maintainability.
  • Symfony packages updated — Updated all Symfony dependencies to their latest compatible versions.
  • CI/CD improvements — Migrated from GitLab CI to GitHub Actions and enhanced pre-merge testing procedures.