TYPO3 9.5.28

Release Notes

Version 9.5.28

Stay secure and up-to-date with TYPO3 ELTS!

The TYPO3 CMS community supported from 2018-10-02 until 2021-09-30.
Extend your support now until 2024-09-30 to get access to the latest security and compatibility updates for this version.

Learn more about TYPO3 ELTS Browse the TYPO3 ELTS Portal

Release Notes for TYPO3 CMS 9.5.28

This document contains information about TYPO3 CMS 9.5.28 which was released on 20.07.2021.

Get TYPO3 9.5.28 now

Checksums of TYPO3 9.5.28


67f6a3159a4d7b30d57076fd628e505c4c50c9a92285a1b47f14c2aac8815c99 typo3_src-9.5.28.tar.gz
e84c207ee4aa5682f2fbb78b9cbebf1b85ac57b02b72ee0ff19e473f71149ee0 typo3_src-9.5.28.zip


5510f67592f1206e7cf104ad0048e4b70b423594 typo3_src-9.5.28.tar.gz
f27c49101c2ee8a26a77e7ea43ad6198f40ef927 typo3_src-9.5.28.zip


cd30652b4f575a6eccc98c43fd11d17d typo3_src-9.5.28.tar.gz
b089d16655145d02f227b827059c08e7 typo3_src-9.5.28.zip

Package Signatures

TYPO3 Release Packages (the downloadable tarballs and zip files) as well as Git tags are signed using PGP signatures during the automated release process. Besides that, MD5 and SHA2-256 hashes are being generated for these files. Find more details on verifying signatures and hashes in the infrastructure guide.

Download GPG signed release README.md file

Example of verifying integrity of tar.gz package of current release:

wget --content-disposition https://get.typo3.org/9.5.28/tar.gz
wget --content-disposition https://get.typo3.org/9.5.28/tar.gz.sig
gpg --verify typo3_src-9.5.28.tar.gz.sig typo3_src-9.5.28.tar.gz


The usual upgrading procedure applies. No database updates are necessary. It might be required to clear all caches; the "important actions" section in the TYPO3 Install Tool offers the accordant possibility to do so.


Here is a list of what was fixed since 9.5.27:

  • 2021-07-20 860158afc7 [RELEASE] Release of TYPO3 9.5.28 (thanks to Oliver Hader)
  • 2021-07-20 bb5e0821d5 [SECURITY] Do not log sensitive data in authentication process (thanks to Benni Mack)
  • 2021-07-20 3218db9e7c [SECURITY] Mitigate XSS related to column names (thanks to Oliver Bartsch)
  • 2021-07-20 0474ca62f7 [SECURITY] Encode error messages in Query View (thanks to Oliver Hader)
  • 2021-07-20 e8b5427d0a [SECURITY] Mitigate XSS in viewpage (thanks to Oliver Bartsch)
  • 2021-07-20 71ed99e836 [TASK] Mitigate downstream CSV code injection (thanks to Oliver Hader)
  • 2021-07-19 5cf195d9d9 [BUGFIX] Upgrade packages chart.js, codemirror, ckeditor4 (thanks to Oliver Hader)
  • 2021-07-19 8a9cfc8ec3 [TASK] Skip another SVG sanitizer test causing seg fault (thanks to Christian Kuhn)
  • 2021-07-16 c39c206cc4 [TASK] Skip SVG sanitizer test causing segmentation fault (thanks to Oliver Hader)
  • 2021-07-15 7c07183415 [TASK] Backport SecurityUtility.stripHtml() (thanks to Andreas Fernandez)
  • 2021-07-13 8c06104a49 [TASK] Streamline identifier usage in SvgFilesSanitization upgrade wizard (thanks to Oliver Hader)
  • 2021-07-13 e7b268f4b9 [BUGFIX] Correctly resolve best matching FAL storage (thanks to Oliver Hader)
  • 2021-07-13 34489f78f4 [TASK] Adjust RST syntax in SVG sanitizer documentation (thanks to Oliver Hader)
  • 2021-07-13 0443b66463 [TASK] Introduce SVG Sanitizer (thanks to Oliver Hader)
  • 2021-07-09 65a5cefb43 [TASK] Reflect patched jQuery state (thanks to Oliver Hader)
  • 2021-07-09 fc7f7ae8f5 [BUGFIX] Unlink temp files in import of ext:impexp (thanks to Daniel Haupt)
  • 2021-06-30 104383b853 [BUGFIX] Declare guzzlehttp/psr7 dependency (thanks to Christian Kuhn)
  • 2021-06-18 c4f300c930 [TASK] Extract common site test aspects to trait (thanks to Oliver Hader)
  • 2021-06-07 dcf7505f15 [DOCS] Add note about TSconfig behaviour in EXT:linkvalidator (thanks to Oliver Bartsch)
  • 2021-06-01 1e1dbff8ff [TASK] Remove a library dependent view helper test (thanks to Christian Kuhn)
  • 2021-06-01 78baf883f2 [BUGFIX] Avoid reloading backend login form for checking HTTP referrer (thanks to Oliver Hader)
  • 2021-05-26 5002e536dd [TASK] Update url to license information (thanks to Georg Ringer)
  • 2021-05-21 5398a2392c [TASK] Add tests for route enhancers having nested arguments declaration (thanks to Oliver Hader)
  • 2021-05-20 667274f8c8 [BUGFIX] Handle LEFT JOINs in Extbase correctly (thanks to Markus Klein)
  • 2021-05-19 65f310f676 [BUGFIX] Allow persisting PseudoFileReference via database form finisher (thanks to Oliver Hader)
  • 2021-05-17 0b41b5a977 [TASK] Streamline routing related phpDoc comments & annotations (thanks to Oliver Hader)
  • 2021-05-14 31f5cc7d4a [BUGFIX] Fix Typo3DbQueryParserTest for custom php timezones (thanks to Benjamin Franzke)
  • 2021-05-11 236f81a1f2 [BUGFIX] Delay error handler registration (thanks to Benjamin Franzke)
  • 2021-05-11 13aa432009 [TASK] Set TYPO3 version to 9.5.28-dev (thanks to Benni Mack)