TYPO3 13.4.31
Release Notes
Release Notes for TYPO3 CMS 13.4.31
This document contains information about TYPO3 CMS 13.4.31 which was released on 09.06.2026.
Get TYPO3 13.4.31 nowNews
This release is a combined bug fix and security release.
Find more details in the security bulletins:
- https://typo3.org/security/advisory/typo3-core-sa-2026-006
- https://typo3.org/security/advisory/typo3-core-sa-2026-007
- https://typo3.org/security/advisory/typo3-core-sa-2026-008
- https://typo3.org/security/advisory/typo3-core-sa-2026-009
- https://typo3.org/security/advisory/typo3-core-sa-2026-010
- https://typo3.org/security/advisory/typo3-core-sa-2026-011
- https://typo3.org/security/advisory/typo3-core-sa-2026-012
- https://typo3.org/security/advisory/typo3-core-sa-2026-013
- https://typo3.org/security/advisory/typo3-core-sa-2026-014
- https://typo3.org/security/advisory/typo3-core-sa-2026-015
- https://typo3.org/security/advisory/typo3-core-sa-2026-016
- https://typo3.org/security/advisory/typo3-core-sa-2026-018
- https://typo3.org/security/advisory/typo3-core-sa-2026-019
Checksums of TYPO3 13.4.31
SHA256
39c5ababa18f0a4bce748a9dc7a3864a1c21e3fc5d00c059a7f797cfd3b8a698 typo3_src-13.4.31.tar.gz 9291bce85d58199b51eb3b509b810b0d04dab4aa19bd2fce629641b37668464b typo3_src-13.4.31.zip
SHA1
c6d0dfd0656bb76d8562cc028775a2e42ac52b97 typo3_src-13.4.31.tar.gz a3b0016b0a6964bd1f89d6976451149fe6898f77 typo3_src-13.4.31.zip
MD5
079f72b9510132a8532dfc92c5639425 typo3_src-13.4.31.tar.gz ab9831a2eb628bfcfbac673115678ceb typo3_src-13.4.31.zip
Package Signatures
TYPO3 Release Packages (the downloadable tarballs and zip files) as well as Git tags are signed using PGP signatures during the automated release process. Besides that, MD5 and SHA2-256 hashes are being generated for these files. Find more details on verifying signatures and hashes in the infrastructure guide.
Download GPG signed release README.md file
Example of verifying integrity of tar.gz package of current release:
wget --content-disposition https://get.typo3.org/13.4.31/tar.gz wget --content-disposition https://get.typo3.org/13.4.31/tar.gz.sig gpg --verify typo3_src-13.4.31.tar.gz.sig typo3_src-13.4.31.tar.gz
Upgrading
The usual upgrading procedure applies. No database updates are necessary. It might be required to clear all caches; the "important actions" section in the TYPO3 Install Tool offers the accordant possibility to do so.
Changes
Here is a list of what was fixed since 13.4.30:
- 2026-06-09 59bfeaaf013 [RELEASE] Release of TYPO3 13.4.31 (thanks to Oliver Hader)
- 2026-06-09 040d50d082a [SECURITY] Properly evaluate .form.yaml file extension (thanks to Oliver Hader)
- 2026-06-09 87cd7c5b710 [SECURITY] Mitigate deserialization flaws (thanks to Oliver Hader)
- 2026-06-09 150a983a5d6 [SECURITY] Fix path prefix confusion in isAllowedAbsPath (thanks to Oliver Hader)
- 2026-06-09 17a3b7830d5 [SECURITY] Check file permissions before showing meta data (thanks to Oliver Hader)
- 2026-06-09 27407075633 [SECURITY] Check record/file access when adding records to clipboard (thanks to Elias Häußler)
- 2026-06-09 ad636b61838 [SECURITY] Avoid download from fallback storage in FileDownloadController (thanks to Torben Hansen)
- 2026-06-09 195356996a6 [SECURITY] Prevent unauthorized record move via DataHandler (thanks to Torben Hansen)
- 2026-06-09 92f08d8944f [SECURITY] Validate permissions on record undelete (thanks to Elias Häußler)
- 2026-06-09 8004b91a595 [SECURITY] Encode indexed search results in frontend rendering (thanks to Oliver Hader)
- 2026-06-09 22c2dd5398e [SECURITY] Fix open redirection in GeneralUtility::sanitizeLocalUrl (thanks to Benjamin Franzke)
- 2026-06-09 eb2b2251d90 [SECURITY] Properly detect .form.yaml suffixes in resource layer (thanks to Oliver Hader)
- 2026-06-09 ac4125aef8b [SECURITY] Deny destructive write actions on mount folders (thanks to Elias Häußler)
- 2026-06-09 c99e06e39b4 [SECURITY] Raise typo3/html-sanitizer to v2.3.2 (thanks to Oliver Hader)
- 2026-06-08 ffae5618e9e [BUGFIX] Drop f:format.raw on SiteConfiguration returnUrl field (thanks to Oliver Hader)
- 2026-06-06 8671f058375 [TASK] Update phpstan to 2.2.2 (thanks to Anja Leichsenring)
- 2026-06-05 7be79acb779 [BUGFIX] Respect position "top" in EMU::addTcaSelectItemGroup() (thanks to Sebastian Iffland)
- 2026-06-04 5709dd90828 [DOCS] Add changelog entry for CType/colPos locked on translations (thanks to Johannes Seipelt)
- 2026-06-04 89ccd035e0d [DOCS] Remove leftover workspace swap feature descriptions (thanks to Christian Kuhn)
- 2026-06-04 782a5ae4db2 [DOCS] Name correct removed property in Breaking-101266 (thanks to Christian Kuhn)
- 2026-06-02 acc5ff3b119 [TASK] Extract DeserializationService from PolymorphicDeserializer (thanks to Oliver Hader)
- 2026-06-02 1c873d47711 [TASK] Streamline test cases (thanks to Oliver Hader)
- 2026-06-02 900df0a5af6 [BUGFIX] Enforce isEnabled() check in ResetPasswordController (thanks to Oliver Hader)
- 2026-06-01 135732135f9 [TASK] Revert "[TASK] Include current site in cache tag collection" (thanks to Benjamin Franzke)
- 2026-05-28 d58272fcaa8 [BUGFIX] Run cache GC in chunks (thanks to Johannes Kasberger)
- 2026-05-28 b1192e24b7c [TASK] Raise phpstan/phpstan to 2.2.1 (thanks to Oliver Hader)
- 2026-05-28 99df0aa1636 [TASK] Allow TTY/non-interactive detection in runTests.sh (thanks to Garvin Hicking)
- 2026-05-28 819f4789abd [TASK] Raise symfony/* packages to 7.4.13 (thanks to Oliver Hader)
- 2026-05-27 ed21525d5cc [TASK] Raise symfony/* packages to LTS version 7.4 (thanks to Oliver Hader)
- 2026-05-26 9d6ef883de1 [TASK] Set TYPO3 version to 13.4.31-dev (thanks to Oliver Hader)