TYPO3 10.2.2

Release Notes

Version 10.2.2

Release Notes for TYPO3 CMS 10.2.2

This document contains information about TYPO3 CMS 10.2.2 which was released on 17.12.2019.

Get TYPO3 10.2.2 now

Checksums of TYPO3 10.2.2


2ce3150dc4988868207a862557119bbd6fd021145c323174b5cdecd1d8265de7 typo3_src-10.2.2.tar.gz
926674ea35d69cdc71dde4baffe8e13624c7e08d044caa254da62daf1a38ecb9 typo3_src-10.2.2.zip


f5113455bd826874f8d6645bd43f34f9ddbc8c2e typo3_src-10.2.2.tar.gz
c46db15ecd5643a806d7e25955d6c0c4108b4440 typo3_src-10.2.2.zip


541469892abaf06d2c23ccbd942446fd typo3_src-10.2.2.tar.gz
1e32e5993323b6a1097196ebf2af8d0f typo3_src-10.2.2.zip


The usual upgrading procedure applies. No database updates are necessary. It might be required to clear all caches; the "important actions" section in the TYPO3 Install Tool offers the accordant possibility to do so.


Here is a list of what was fixed since [10.2.0]:

  • 2019-12-17 b7d2c8f952 [RELEASE] Release of TYPO3 10.2.2 (thanks to Oliver Hader)
  • 2019-12-17 9e35dd427f [TASK] Set TYPO3 version to 10.2.2-dev (thanks to Oliver Hader)
  • 2019-12-17 aa2abdaf0d [RELEASE] Release of TYPO3 10.2.1 (thanks to Oliver Hader)
  • 2019-12-17 8d05c31531 [SECURITY] Avoid insecure deserialization in QueryGenerator & QueryView (thanks to Frank Naegler)
  • 2019-12-17 e1e56e7b6a [SECURITY] Prevent SQLi in ext:lowlevel QueryGenerator (thanks to Frank Naegler)
  • 2019-12-17 4ec29f44ac [SECURITY] Avoid directory traversal on archive extraction (thanks to Andreas Fernandez)
  • 2019-12-17 044d7dbe28 [SECURITY] XSS in file list through file extension (thanks to Andreas Fernandez)
  • 2019-12-17 25f796b94e [SECURITY] Avoid XSS by correctly encoding typolink results (thanks to Oliver Hader)
  • 2019-12-17 e971b012c8 [SECURITY] Prevent XSS in EXT:form error message output (thanks to Frank Naegler)
  • 2019-12-17 d075cdeaf3 [TASK] Streamline frontend user password recovery process (thanks to Oliver Hader)
  • 2019-12-17 6ea5b19c76 [BUGFIX] Don't import PHP class in ext_localconf.php (thanks to Andreas Fernandez)

(version v10.2.1 contained outdated composer version references which have been adjusted on v10.2.2)