--- title: "TYPO3 13.4.31—What’s Changed?" url: "https://b13.com/release-digests/v13/typo3-13431-whats-changed" date: 2026-06-09 modified: 2026-06-09 lastUpdated: 2026-06-09 --- # TYPO3 13.4.31—What’s Changed? TYPO3 13.4.31—What’s Changed? ============================== Released: June 9, 2026 Update type: Security release TYPO3 13.4.31 is a critical security release addressing 13 vulnerabilities including deserialization flaws, path traversal issues, unauthorized record operations, and XSS vulnerabilities. All TYPO3 13.4 installations should be updated immediately. The release also includes minor bugfixes and dependency updates. Security Fixes -------------- - **Deserialization vulnerabilities mitigated** — Critical fixes to prevent exploitation of deserialization flaws that could lead to remote code execution. - **Path traversal protection enhanced** — Fixed path prefix confusion in isAllowedAbsPath and proper .form.yaml file extension validation to prevent unauthorized file access. - **Unauthorized record operations prevented** — Added permission checks for clipboard operations, record moves via DataHandler, and record undelete actions. - **File access controls strengthened** — Implemented permission checks before showing file metadata and prevented downloads from fallback storage in FileDownloadController. - **Mount folder protection** — Denied destructive write actions on mount folders to prevent unauthorized file manipulation. - **XSS vulnerabilities fixed** — Encoded indexed search results in frontend rendering to prevent cross-site scripting attacks. - **Open redirection fixed** — Corrected open redirection vulnerability in GeneralUtility::sanitizeLocalUrl. - **HTML sanitizer updated** — Raised TYPO3/html-sanitizer to version 2.3.2 for improved security. Editing & UX Improvements ----------------------------- - **Site configuration security** — Removed f:format.raw on SiteConfiguration returnUrl field to prevent potential XSS issues. Backend & Administration ---------------------------- - **Cache garbage collection optimization** — Cache GC now runs in chunks for better performance with large cache tables. - **Reset password enforcement** — Added proper isEnabled() check in ResetPasswordController to ensure feature is only available when enabled. Technical Changes ----------------- - **TCA select item grouping fixed** — Corrected handling of “top” position in EMU::addTcaSelectItemGroup() method. - **Dependency updates** — Updated Symfony packages to LTS version 7.4.13 and PHPStan to version 2.2.2. - **Deserialization service extracted** — Refactored DeserializationService from PolymorphicDeserializer for better code organization. - **Test infrastructure improved** — Added TTY/non-interactive detection in runTests.sh for better CI/CD compatibility. - [Download TYPO3 13](https://get.typo3.org/version/13) - [Official release announcement](https://news.typo3.com/article/typo3-1433-and-13431-security-releases-published) - [Full changelog](https://docs.typo3.org/c/typo3/cms-core/main/en-us/Changelog-13/Index.html)