TYPO3 14.3.3—What’s Changed?

Released: June 9, 2026
Update type: Security release

TYPO3 14.3.3 is a critical security release addressing 14 security vulnerabilities across multiple components, including file handling, access control, deserialization, and XSS prevention. All TYPO3 14.x users should upgrade immediately. The release also includes several bug fixes for the backend, DataHandler, and frontend rendering.

Security Fixes

  • Form YAML file extension validation — Properly evaluates .form.yaml file extensions and detects suffixes in resource layer to prevent unauthorized form definition access.
  • Deserialization vulnerabilities mitigated — Guards against deserialization flaws and form_definition DataHandler access to prevent remote code execution.
  • File and record access controls hardened — Validates file permissions before showing metadata, checks record/file access when adding to clipboard, validates permissions on record undelete, and prevents unauthorized record moves via DataHandler.
  • Path traversal protection — Fixes path prefix confusion in isAllowedAbsPath to prevent directory traversal attacks.
  • File download security — Avoids downloads from fallback storage in FileDownloadController to prevent unauthorized file access.
  • Mount folder protection — Denies destructive write actions on mount folders to protect critical file system locations.
  • XSS prevention — Encodes indexed search results in frontend rendering to prevent cross-site scripting attacks.
  • Open redirect fixed — Resolves open redirection vulnerability in GeneralUtility::sanitizeLocalUrl.
  • HTML sanitizer updated — Raises TYPO3/html-sanitizer to v2.3.2 with additional security improvements.

Editing & UX Improvements

  • Internal description always visible — Backend preview now consistently renders internal description fields.
  • Title length consistency — User setting “Max title length” is now applied consistently across all backend views.
  • Multi-upload field IDs — Uses unique IDs for resource pointer fields in multi-upload fields to prevent conflicts.
  • Label processing optimization — Skips label_alt processing when formattedLabel_userFunc is set, improving performance and avoiding conflicts.

Backend & Administration

  • Site configuration security — Drops f:format.raw on SiteConfiguration returnUrl field to prevent injection attacks.
  • MenuProcessor titleField restored — Restores support for titleField configuration in MenuProcessor for custom page title rendering.
  • Constant editor wrap type fixed — Corrects string splitting and event binding for constant editor type “wrap”.
  • TCA select item groups positioning — Respects position “top” in EMU::addTcaSelectItemGroup() for correct item group ordering.
  • Scheduler enhancements — Adds AfterTaskExecutionEvent for better scheduler task integration and re-adds SchedulerTaskRepository methods for backward compatibility.
  • Workspace state display — Passes hasDiff parameter at correct position to workspaceState() for accurate diff indication.

Technical Changes

  • Language pack update optimization — Avoids redundant scans during language pack updates for faster processing.
  • Cache garbage collection improved — Runs cache GC in chunks to prevent memory exhaustion on large installations.
  • PageRepository initialization optimized — Avoids unnecessary database call in PageRepository->__construct()->init() for better performance.
  • Translation service hardening — Guards getProperties() call with instanceof check and against uninitialized setup array to prevent exceptions.
  • Dependency updates — Updates symfony/* packages to 7.4.13 and phpstan to 2.2.2 for improved compatibility and analysis.
  • DateTime handling fix — Prevents exception when using BU::daysUntil with DateTime objects.