TYPO3 10.4.18

Release Notes

Version 10.4.18

Stay secure and up-to-date with TYPO3 ELTS!

The TYPO3 CMS community supported from 2020-04-21 until 2023-04-30.
Extend your support now until 2026-04-30 to get access to the latest security and compatibility updates for this version.

Learn more about TYPO3 ELTS Browse the TYPO3 ELTS Portal

Release Notes for TYPO3 CMS 10.4.18

This document contains information about TYPO3 CMS 10.4.18 which was released on 20.07.2021.

Get TYPO3 10.4.18 now

Checksums of TYPO3 10.4.18


93d2389e21be17ec6ace908d804af1211024c82847ed28d957c4e3659ca3417f typo3_src-10.4.18.tar.gz
b7be3fce6c2d118b8c6e4117358176d5525212ec5b34e554a0e1b44d19865744 typo3_src-10.4.18.zip


7e1e4a488c0b113a9201e469056a4650e0a8d083 typo3_src-10.4.18.tar.gz
1c7e10c94757c656489449526f0867f5ec047847 typo3_src-10.4.18.zip


7802726159a94d4bc3844b538424d298 typo3_src-10.4.18.tar.gz
8bc1d34e3392d8b3ad04d7e277550498 typo3_src-10.4.18.zip


The usual upgrading procedure applies. No database updates are necessary. It might be required to clear all caches; the "important actions" section in the TYPO3 Install Tool offers the accordant possibility to do so.


Here is a list of what was fixed since 10.4.17:

  • 2021-07-20 7c21aadae4 [RELEASE] Release of TYPO3 10.4.18 (thanks to Oliver Hader)
  • 2021-07-20 f8082e1fba [SECURITY] Do not log sensitive data in authentication process (thanks to Benni Mack)
  • 2021-07-20 01eb0e3b07 [SECURITY] Mitigate XSS related to column names (thanks to Oliver Bartsch)
  • 2021-07-20 2c1db81fde [SECURITY] Encode error messages in Query View (thanks to Oliver Hader)
  • 2021-07-20 533bae317b [SECURITY] Mitigate XSS in viewpage (thanks to Oliver Bartsch)
  • 2021-07-20 f378139c00 [TASK] Mitigate downstream CSV code injection (thanks to Oliver Hader)
  • 2021-07-19 7896a61286 [BUGFIX] Prevent TypeError in TableController (thanks to Oliver Bartsch)
  • 2021-07-19 80ab8672a9 [BUGFIX] Upgrade packages chart.js, codemirror, ckeditor4 (thanks to Oliver Hader)
  • 2021-07-19 0828d06bd6 [TASK] Skip another SVG sanitizer test causing seg fault (thanks to Christian Kuhn)
  • 2021-07-16 eac6c2fbab [TASK] Skip SVG sanitizer test causing segmentation fault (thanks to Oliver Hader)
  • 2021-07-15 44b2f4b4cd [TASK] Backport SecurityUtility.stripHtml() (thanks to Andreas Fernandez)
  • 2021-07-13 a28ebb5f76 [TASK] Streamline identifier usage in SvgFilesSanitization upgrade wizard (thanks to Oliver Hader)
  • 2021-07-13 e2040358ab [BUGFIX] Correctly resolve best matching FAL storage (thanks to Oliver Hader)
  • 2021-07-13 24d3417dff [TASK] Adjust RST syntax in SVG sanitizer documentation (thanks to Oliver Hader)
  • 2021-07-13 45b389d44d [TASK] Introduce SVG Sanitizer (thanks to Oliver Hader)
  • 2021-07-12 a06a256e60 [BUGFIX] Properly check shortcut permissions in ShortcutRepository (thanks to Oliver Bartsch)
  • 2021-07-12 e705b30274 [TASK] Improve exception messages in ImageService (thanks to Oliver Bartsch)
  • 2021-07-12 1184d7292a [BUGFIX] Enable ContextMenu for file mounts and file storages again (thanks to Oliver Bartsch)
  • 2021-07-12 16a239e750 [BUGFIX] Remove always true part of if condition (thanks to Nikita Hovratov)
  • 2021-07-12 cf1452b9f4 [BUGFIX] Fix missing closing divs in SelectSingleBoxElement (thanks to Nikita Hovratov)
  • 2021-07-12 10bc3ffc93 [TASK] Add placeholder for title field in create multiple pages (thanks to Oliver Bartsch)
  • 2021-07-09 c802dacfc6 [BUGFIX] Allow to abort a selected upgrade wizard before execution (thanks to Andreas Fernandez)
  • 2021-07-09 9fa8fadbc8 [TASK] Reflect patched jQuery state (thanks to Andreas Fernandez)
  • 2021-07-09 2301a351f3 [BUGFIX] Unlink temp files in import of ext:impexp (thanks to Daniel Haupt)
  • 2021-07-09 3742476215 [BUGFIX] Handle invalid source string correctly in ImageService (thanks to Oliver Bartsch)
  • 2021-07-09 bcd19bf23c [BUGFIX] Avoid crash due to endless loop in Fluid-based Page Module (thanks to Oliver Hader)
  • 2021-07-07 c109434b4c [DOCS] Complete new pagination changelog rst (thanks to Daniel Siepmann)
  • 2021-07-06 9f6110811d [BUGFIX] Set position for alert container to fixed (thanks to Jochen Roth)
  • 2021-07-01 3b72f0d59b [DOCS] Use correct method params in #90956 rst-file (thanks to Henrik Elsner)
  • 2021-07-01 e3538f3743 [BUGFIX] Fix typos in language labels (thanks to Jochen Roth)
  • 2021-06-30 dc125e42c9 [BUGFIX] Declare guzzlehttp/psr7 dependency (thanks to Christian Kuhn)
  • 2021-06-28 550c4be1c2 [BUGFIX] Respect TSconfig when adding page translations to recordlist (thanks to Oliver Bartsch)
  • 2021-06-27 4761152331 [DOC] Change fallback layer code removal information (thanks to Benni Mack)
  • 2021-06-22 2560d67426 [BUGFIX] Fix terms in Info > Page TSconfig (thanks to Sybille Peters)
  • 2021-06-22 46a2414710 [BUGFIX] Missing is_array check in setValueByPath (thanks to Rico Sonntag)
  • 2021-06-18 51c1caf1dc [BUGFIX] Respect offline storages on context menu initialization (thanks to Oliver Bartsch)
  • 2021-06-18 4282c2ca6f [TASK] Extract common site test aspects to trait (thanks to Oliver Hader)
  • 2021-06-17 8f14283834 [TASK] Add acceptance test for EXT:reports module (thanks to Jochen Roth)
  • 2021-06-16 7b7deb0cc1 [TASK] Add customization examples for felogin (thanks to Jan Stockfisch)
  • 2021-06-15 adce6dbe8b [BUGFIX] Fix range handling for eval double (thanks to Patrick Schriner)
  • 2021-06-14 ae55eef595 [DOCS] Fix PHP code example in changelog (thanks to Oliver Bartsch)
  • 2021-06-14 1ee27a9f16 [TASK] Raise typo3/testing-framework:^6.8.4 (thanks to Christian Kuhn)
  • 2021-06-13 258a7b61a4 [TASK] Raise typo3/testing-framework:^6.8.3 (thanks to Christian Kuhn)
  • 2021-06-13 a6bb955b9e [BUGFIX] Correct ac test file namespace (thanks to Christian Kuhn)
  • 2021-06-11 ef1ea9dc3f [BUGFIX] Fix return annotation of AbstractDomainObject->getUid() (thanks to Andreas Fernandez)
  • 2021-06-10 1d7ed0bc69 [BUGFIX] Do not render clipboard actions for page translations (thanks to Oliver Bartsch)
  • 2021-06-09 d66b69b251 [TASK] Remove "sha1" from sys_file searchFields (thanks to Guido Schmechel)
  • 2021-06-09 6c3ac2d200 [BUGFIX] Check if shortcuts' target table still exists (thanks to Oliver Bartsch)
  • 2021-06-09 0193401297 [TASK] Document behaviour of inline parent info in itemsProcFunc (thanks to Oliver Bartsch)
  • 2021-06-09 84d6975662 [BUGFIX] Add uid field to fieldDefinitions in EXT:seo (thanks to Oliver Bartsch)
  • 2021-06-09 d48c2e969c [BUGFIX] Prevent Uncaught TypeError in Recordlist JavaScript (thanks to Oliver Bartsch)
  • 2021-06-08 55bfa13a39 [TASK] Set TYPO3 version to 10.4.18-dev (thanks to Benni Mack)