TYPO3 14.3.1 + 13.4.29
What 14.3.1 and 13.4.29 change, which bugs matter for operators, and in what order you should roll out.
26 May 2026. The TYPO3 Core Team has published two maintenance releases in parallel: 14.3.2 as the LTS continuation of the v14 line and 13.4.30 for the v13 LTS. Both carry pure bugfix and maintenance changes; the official news announcement explicitly classifies them as „maintenance releases only". There is no dedicated core security advisory (SA-CORE-2026-*) in this cycle.
Note for my customers: your installations have already received both updates automatically through my continuous-deployment pipeline — 14.3.2 on the v14 stacks, 13.4.30 on the LTS stacks. Caches are flushed, smoke tests have run. No action required on your side.
The most substantial commit raises four symfony/* packages and composer/composer (as a devdep) to new minimum constraints on 25 May, one day before release; the commit message explicitly lists nine underlying CVEs (across mailer, mime, routing, yaml, transitive cache, plus composer/composer). On top of that there's an npm devdep cleanup on release day, a site-aware cache-tag collection, an MD5 password-hint cleanup in the Install Tool alert email, and in 14.3.2 additionally a live-search detail, a Fluid CLI extension and three documentation corrections.

Two parallel maintenance releases, no core security advisory, but a Symfony/Composer constraint raise whose commit message names nine underlying CVEs.
| Question | Answer |
|---|---|
| Affected? | All operators running TYPO3 14.3.x LTS and 13.4.x LTS. Recommended target versions: 14.3.2 and 13.4.30. |
| What changes? | The Symfony packages mailer, mime, routing, yaml are raised in composer.json from ^7.4.8 to ^7.4.12; symfony/cache follows transitively. The composer/composer devdep moves from ^2.9.7 to ^2.9.8. Plus an npm devdep cleanup, a site-aware cache-tag collection, an MD5 cleanup. |
| Immediate action? | On my side: none — the pipeline has already rolled the update. For self-hosted installations: composer update typo3/cms-* --with-dependencies plus a cache flush. |
| Recommendation? | If you run continuous deployment, you'll have the update with the next regular pipeline run. If you run maintenance windows, slot it into your next scheduled window. No emergency rollout. |
| What's NOT in the update? | The Symfony May disclosure wave from 20 May (CVE-2026-46626 SymfonyRuntime, CVE-2026-45075 IsGranted HEAD bypass, CVE-2026-45071 DomCrawler XXE, CVE-2026-45072 WebProfiler XSS) is not explicitly referenced in this drop's commit message. And: TYPO3 uses Fluid, not Twig — the parallel Twig sandbox family 3.26.0 does not touch the TYPO3 core. |
Three sentences for operators: The update belongs in your standard pipeline run — if you run continuous deployment like I do, let it flow through the pipeline without a special maintenance window. If you want exact visibility into your Composer resolve's CVE coverage, composer update typo3/cms-* --with-dependencies followed by composer show symfony/mailer symfony/mime symfony/routing symfony/yaml symfony/cache composer/composer gives you the receipts. The npm devdep cleanup in the core is a good moment to run npm audit --omit=dev against your own sitepackage toolchain.
TYPO3 14.3.2 is the second maintenance iteration of the 14.3 LTS line after 14.3.1 from 12 May 2026. 13.4.30 is the thirtieth maintenance drop on the running 13.4 LTS and continues the series from 12 May (13.4.29). Both releases shipped on the same day (26 May 2026); the joint TYPO3 news ticket calls them „maintenance releases only" and explicitly notes: no database updates required, flush caches if needed.
Important framing: neither the official TYPO3 news page nor the release notes name a dedicated SA-CORE-2026-* advisory or a security context. The Symfony raise commit message does list the underlying CVEs in plain text (see „What changed in terms of security" below), but TYPO3's external communication treats them as regular dependency maintenance. I follow that language in this post: this is a maintenance drop, not an emergency patch, and it belongs in your normal pipeline run, not in a weekend special window.
If you're currently on 14.3.1 or 13.4.29, the update brings no database migration — the upgrade path is composer update typo3/cms-* --with-dependencies plus one cache flush. If you're on 14.3.0 or 13.4.28 or older, you pull the roll-up in the same pipeline run — in particular because of the memory limit recommendation from 14.3.1 (256 MB minimum, 512 MB recommended) and the now-raised Symfony constraints.
14.3.2 contains twelve commits since 14.3.1 (including the release and version-bump commits). We go through each entry.
Commit a6aede1e839 (25 May 2026, Oliver Hader) raises the minimum constraints of four symfony/* packages and composer/composer (devdep) in the core's composer.json. The maintainer explicitly documents the packages, the new minimum versions and the underlying CVEs in the commit message (see „What changed in terms of security" below for the full list).
Operationally that means: after composer update typo3/cms-* --with-dependencies, TYPO3 14.3.2 sits at least on the ^7.4.12 line of symfony/mailer, symfony/mime, symfony/routing, symfony/yaml, and Composer as a devdep is on ^2.9.8. Other Symfony components (http-foundation, http-kernel, console, dependency-injection, etc.) remain on their previous ^7.4.8 constraint in composer.json — Composer can pull them transitively to current 7.4.x versions on composer update -W if the lockfile allows. The concrete versions you end up with show up via composer show symfony/*.
Commit 8c0c8fb2d52 (26 May 2026, Oliver Hader) clears out the known vulnerable npm devdep findings that accumulated over the past weeks. The concrete packages are in the commit diff; in aggregate this affects asset-build toolchain packages (bundlers, linters, test runners), not the frontend bundles delivered to the browser. Operationally that means: the protection applies to the developer / CI machine, not to the end user.
If you maintain your own sitepackage toolchain, run npm audit --omit=dev against your own package-lock.json — the core hygiene is a template, not a replacement. Context: today's Kim daily brief „Claude Code and Gemini CLI in the crosshairs of financially motivated attackers" describes how developer workstations and their toolchains are becoming the primary entry point for supply-chain campaigns.
Commit 30cf9cf0739 (20 May 2026, Soren Malling) adds the current site to the cache-tag collection. Consequence: when the cache layer keeps tags per site (reverse-proxy invalidation, application-internal tag flushes), invalidation can now happen cleanly per site instead of accidentally producing cross-site tag overlaps. Relevant for multi-site setups — typical for tenant setups, multiple domains per instance, or language overlays with their own cache strategy. In single-site setups, little changes operationally.
Commit f086fca11c9 (18 May 2026, Oliver Hader) removes a hint sentence from the Install Tool alert email that historically still mentioned MD5 as a possible password hash algorithm. MD5 has been out of every serious recommendation for password hashing for years; the hint text had no business in a 2026 Install Tool email. Cosmetic cleanup with a clear signal.
Commit 8e92e74ff13 (18 May 2026, Benjamin Kott) repairs the live-search result list: for multilingual content, the language flag was no longer reliably shown. With the fix, editors see again which language overlay a hit belongs to — helpful in setups with two or more active languages.
fluid:analyze detects deprecated useNonce (TASK, developer-relevant)Commit 92757cf77cf (17 May 2026, Simon Praetorius) extends the Fluid CLI analyze command: the now-deprecated useNonce parameter is detected and reported by the analyze stage. For sitepackage maintainers this means: a vendor/bin/typo3 fluid:analyze now flags early where the old construct still sits in your templates, before a later TYPO3 major drops it.
Commit 8e865b55f8b (20 May 2026, Chris Müller) corrects the documentation entry for the UUID type's field column size in the changelog. Commit 657989535fb (19 May 2026, Markus Klein) raises the phpstan/phpstan version. Commit 983d845b6b8 (13 May 2026, Markus Klein) adds an explicit documentation note on the correct usage of the PageDoktypeRegistry. Commit 775540e17c1 (12 May 2026, Chris Müller) corrects the namespace for QueryResultPaginator in a changelog entry.
Commit 7ea76cc903f (12 May 2026, Oliver Hader) sets the TYPO3 version to 14.3.2-dev. Commit d3b483b4a41 (26 May 2026, Oliver Hader) is the actual release commit.
13.4.30 contains eight commits since 13.4.29 (including the release and version-bump commits). Six of them are content-identical to the 14.3.2 list — the LTS line gets the same maintenance focus, just without the four v14-specific detail fixes (live-search flag, fluid:analyze-useNonce, two changelog documentation patches).
Commit 4fd2524fe60 (25 May 2026, Oliver Hader) is the LTS variant of the v14 raise. Identical content: symfony/mailer ^7.4.12, symfony/mime ^7.4.12, symfony/routing ^7.4.12, symfony/yaml ^7.4.12, symfony/cache ^7.4.12 (transitive), composer/composer ^2.9.8 (devdep). The CVEs documented in the commit message are the same nine as in 14.3.2 (full list in the next section).
Commit 5cf5009a98e (26 May 2026, Oliver Hader) is the LTS variant. Identical reasoning as in 14.3.2 — developer / CI toolchain, not production frontend bundles.
Commit 8af66a56dd1 (20 May 2026, Soren Malling) — identical to the v14 version. Multi-site setups benefit, single-site setups remain unchanged.
Commit e5a03a90328 (18 May 2026, Oliver Hader) — the LTS backport of the MD5 cleanup commit.
phpstan raiseCommit c21bbb58c79 (19 May 2026, Markus Klein) — toolchain hygiene, identical to the v14 version.
Commit 9db9ab10cbc (13 May 2026, Markus Klein) — the same documentation patch as in 14.3.2.
Commit 74967a6f11d (12 May 2026, Oliver Hader) sets the TYPO3 version to 13.4.30-dev. Commit 09b644f9e12 (26 May 2026, Oliver Hader) is the release commit.
Four 14.3.2 commits do not travel back to the LTS line (reasoning inferred from the architectural difference — TYPO3 does not name backport reasons in the release notes diff):
8e92e74ff13) — the live-search implementation differs in detail architecture between v13 and v14; a 1:1 backport would not be a clean cherry-pick.fluid:analyze detection of deprecated useNonce (92757cf77cf) — the deprecation marker itself sits in the v14 Fluid line, not in 13.4.8e865b55f8b) and QueryResultPaginator namespace doc (775540e17c1) — both belong to the v14 changelog housekeeping.At the TYPO3 core level: nothing. No new SA-CORE-2026-* advisory, no [SECURITY] tag in the commit logs, no security context in the release notes or the news article.
At the dependency level: per its commit message, the Symfony raise from 25 May addresses nine CVEs across four direct Symfony packages, one transitive Symfony component, and Composer as a devdep. TYPO3 explicitly does not choose the path of a dedicated core advisory for cases like this and instead integrates the dependency patches into the next regular maintenance drop. That is the conservative line that is standard in TYPO3 maintainer practice: a core advisory attaches to the core's code path, not to the code paths of its dependencies.
The maintainer Oliver Hader names nine CVEs in the commit message of the symfony/* and composer/composer raise. We list them here with package context and a short take so that DPOs and IT leads on the customer side can document the carryover:
symfony/mailer ^7.4.12 — CVE-2026-45068: argument injection in SendmailTransport via a dash-prefixed recipient address. Relevant wherever TYPO3 sends email itself (newsletters, contact forms, system notifications).symfony/mime ^7.4.12 — CVE-2026-45067 (CRLF email header / SMTP command injection in Symfony\Component\Mime\Address) and CVE-2026-45070: two MIME parser vulnerabilities. Relevant in any application that parses incoming MIME messages or composes outgoing ones (symfony/mailer builds on symfony/mime internally).symfony/routing ^7.4.12 — CVE-2026-45065: UrlGenerator route-requirement bypass via unanchored regex alternation that leads to off-site //host URL injection. TYPO3 uses its own site routing logic, but the Symfony routing code is used indirectly in several places (CLI, backend routes).symfony/yaml ^7.4.12 — CVE-2026-45304 (bounded collection-alias resolution), CVE-2026-45305 (YAML parser ReDoS via catastrophic backtracking in Parser::cleanup()), CVE-2026-45133 (bounded recursion depth in parser): three YAML parser CVEs. Relevant wherever YAML input is processed (site configuration, services.yaml at the DI layer, form definitions in YAML format, own extensions with YAML configs).symfony/cache ^7.4.12 — CVE-2026-45073: cache component, not directly referenced in the TYPO3 core, but pulled in transitively via other Symfony packages.composer/composer ^2.9.8 — CVE-2026-45793: GitHub-token leak in Composer. I had a dedicated post on this on 14 May 2026. The patch now also lands in the TYPO3 core devdep baseline — relevant for setups that use Composer as a library (not just as a CLI).The Symfony May disclosure wave from 20 May 2026 (CVE-2026-46626 SymfonyRuntime, CVE-2026-45075 IsGranted / HEAD bypass, CVE-2026-45071 DomCrawler XXE, CVE-2026-45072 WebProfiler XSS) is not explicitly referenced in this constraint raise. If you want to address that wave, check with composer why-not symfony/http-foundation:^7.4.12 and composer why-not symfony/security-core:^7.4.12 whether your own constraints allow the Composer resolve to move other Symfony packages to 7.4.12 — Composer often pulls them in transitively under -W / --with-dependencies, but they are not pinned in the TYPO3 core.
Twig sandbox wave from 20 May: Twig is not part of the TYPO3 core — TYPO3 uses Fluid (typo3fluid/fluid) as its template engine. If you use Twig in a custom extension or a standalone component on the side, maintain the Twig patch level independently of the TYPO3 release through your own Composer constraint.
What this reading means for operators: let the update flow through the pipeline as usual — in my case with continuous deployment, in the same iteration in which TYPO3 maintenance releases automatically pass through anyway. If you run a maintenance-window-driven operation, this release belongs in your next scheduled window. There is no emergency tier from TYPO3's perspective, and I mirror that.
Three profiles with different priority:
f:render.text backport, Composer 2.9.7, drag-and-drop fix) in the same run.npm audit --omit=dev against your own sitepackage is the right follow-up after this release. If you still build templates with the now-deprecated useNonce, run vendor/bin/typo3 fluid:analyze against 14.3.2 — even if it's not a standard pipeline stage for everyone.If you're on 14.0 / 14.1 / 14.2, you should move to 14.3 in any case — those intermediate versions no longer receive maintenance.
Maintenance releases deserve discipline, not drama. If you run continuous deployment like I do, the update is in the next regular pipeline run anyway. If you run maintenance windows, slot it into the next scheduled one.
composer why symfony/mailer, composer why symfony/mime, composer why symfony/routing, composer why symfony/yaml to verify that none of your own constraints block the patch jump.npm audit --omit=dev against your asset pipeline and fix open findings in the same run.composer require symfony/mime:"^7.4.12" if you're stuck on a lower constraint today.
# Check TYPO3 version
vendor/bin/typo3 --version
# Symfony constraint checks (one per package from the raise)
composer why symfony/mailer
composer why symfony/mime
composer why symfony/routing
composer why symfony/yaml
composer why composer/composer
# Optional: check whether the Composer resolve can move to 7.4.12 per package
composer why-not symfony/mailer:^7.4.12
composer why-not symfony/mime:^7.4.12
composer why-not symfony/routing:^7.4.12
composer why-not symfony/yaml:^7.4.12
# Simulate the Composer update
composer update typo3/cms-* --with-dependencies --dry-run
# npm devdep audit (your own sitepackage toolchain)
npm audit --omit=dev
# After the update: flush caches
vendor/bin/typo3 cache:flush
vendor/bin/typo3 upgrade:list and have it on the record.composer update across all packages. I keep the scope on typo3/cms-* --with-dependencies and only chase Symfony / Composer constraints if the sitepackage constraint blocks them today.My TYPO3 stack strategy runs along two lines in parallel: my own sites sit on the 14.3 LTS line, while I support 13.4 LTS at customers depending on the contract base. I do not run a classic maintenance-window model, but continuous deployment: TYPO3 core updates travel through the pipeline at the same cadence as sitepackage changes (Renovate PR, automated test run, review, merge, deployment).
composer why symfony/mailer, composer why symfony/mime, composer why symfony/routing, composer why symfony/yaml and composer why composer/composer run automatically in a pre-merge stage — I have no constraint of my own in the way, the patch jump passes cleanly through the standard resolve.npm audit --omit=dev against moselwal/sitepackage-base, open findings cleared in the same pipeline run.No, this is not an emergency update. TYPO3 explicitly classifies the releases as „maintenance only" and does not issue a dedicated core security advisory. The commit message of the Symfony / Composer constraint raise carries nine CVE references, but TYPO3 still does not frame the release as a security update. If you run continuous deployment, 14.3.2 will be in your next regular pipeline run. If you run maintenance windows, slot it into the next scheduled one.
The commit message of a6aede1e839 (14.3.2) and 4fd2524fe60 (13.4.30) explicitly names: CVE-2026-45068 (mailer), CVE-2026-45067 and CVE-2026-45070 (mime), CVE-2026-45065 (routing), CVE-2026-45304, CVE-2026-45305 and CVE-2026-45133 (yaml), CVE-2026-45073 (cache, transitive), CVE-2026-45793 (composer/composer as a devdep). The concrete versions that end up in your lockfile show up via composer show symfony/mailer symfony/mime symfony/routing symfony/yaml symfony/cache composer/composer.
That wave is not explicitly referenced in the commit message of the current TYPO3 raise. It affects packages that TYPO3 either uses differently in the core or whose constraints were not lifted in this drop. Composer may pull them in transitively under composer update -W if the other Symfony packages in composer.json have a constraint range that includes the patched versions — but they are not explicitly pinned.
No. Unlike 13.4.29 (f:render.text backport, Composer 2.9.7, Fluid Standalone 4.6.1), 13.4.30 is a pure maintenance release. The eight commits are all backports, dependency raises, or documentation patches.
No. Both release notes explicitly state: „No database updates are necessary." After the update, flush all caches once (Install Tool → Important Actions → Flush Cache, or via CLI vendor/bin/typo3 cache:flush).
Yes. The commit on site-aware cache-tag collection makes cache-tag operations include the current site. In multi-site setups (multiple sites under the same TYPO3 instance, per-tenant reverse-proxy invalidation), tag separation between sites becomes cleaner. In single-site setups, little changes operationally.
Not „problematic" in the sense of a vulnerability, but an outdated hint sentence that still mentioned MD5 as a possible password hash algorithm. MD5 has been out of every serious recommendation for password hashing for years. The hint text simply had no business in a 2026 Install Tool email — cosmetic cleanup with a clear signal.
The useNonce parameter is marked deprecated in the v14 Fluid line and will be removed in a later major version. With 14.3.2, the CLI command vendor/bin/typo3 fluid:analyze detects the use of it in your templates and reports it. If you don't run fluid:analyze in the CI pipeline, you can invoke the command ad hoc before the next major migration — it does not replace a test, but it finds this class of deprecations quickly.
TYPO3 14.3.2 and 13.4.30 are small, focused maintenance releases announced by TYPO3 itself as „maintenance only". There is no dedicated core security advisory in this cycle. The Symfony / Composer constraint raise from 25 May carries nine CVE references in its commit message — symfony/mailer, symfony/mime, symfony/routing, symfony/yaml, transitive symfony/cache, plus composer/composer — but that information sits only in the commit log, not in the release's external communication.
I read this the same way TYPO3 frames it: a regular maintenance drop that happens to carry a series of dependency patches. Under continuous deployment that means the update is in the right place in the regular pipeline run — no special maintenance window, no emergency rollout, no weekend action. If you run maintenance-window operation, attach the update to the next scheduled window. If you want to document it in writing before an audit appointment, copy the nine CVE references from the commit message into the maintenance / CD note and you have the state on record.
The parallel npm devdep cleanup in the core is a helpful prompt to walk through your own sitepackage toolchain with npm audit --omit=dev — especially in a week where the developer workstation is structurally named as an entry point (Claude Code / Gemini CLI installer impersonation, Shai-Hulud / AntV wave).
TYPO3 updates without drama — continuous deployment instead of maintenance windows, with verifiable constraint audits per drop.
I run TYPO3 14.3 LTS and 13.4 LTS installations with a continuous-deployment pipeline: Renovate PR, automated Composer constraint check, sitepackage acceptance tests, visual regression, cache verification, rollback path. Where a dependency raise (as in this month's case) carries CVE references in the commit log, I document the carryover in writing for the DPO / IT leads on the customer side — in the language TYPO3 itself uses: a regular maintenance drop with transitively carried dependency patches.
If you want to lift your TYPO3 maintenance from „maintenance-window-driven with uncertain patch state" to „continuous deployment with documented constraint discipline" — with traceable Composer resolve history, your own sitepackage npm audit routine and patch-state evidence for DPO / audit purposes — talk to me.
![[Translate to English:] Foto von Kai Ole Hartwig.](/fileadmin/_processed_/e/9/csm_ole-neu_73323ad80d.jpeg)
Programming since 2002 – self-taught, set up my own business with KO-Web in 2012. Over 100 projects, with a focus on security, performance, automation and quality. Today freelance: DevSecOps consulting, training and software development.