Skip to content

Security: CM4all/typo3

Security

SECURITY.md

Security Policy

Supported Versions

The following matrix shows the versions that are currently maintained by the TYPO3 Community. Sprint releases (versions before 11.5.0 and before 10.4.0, in their corresponding branches) are not maintained nor supported.

Version Supported
11.5.x
11.4.x
11.3.x
11.2.x
11.1.x
11.0.x
10.4.x
< 10.4.0

Reporting a Vulnerability

Please report potential vulnerabilities to [email protected]

  • mention the project that is affected (either TYPO3 core or a TYPO3 extension/plugin)
  • mention the exact version or version range that has been analyzed
  • provide a step-by-step description on how to exploit the potential vulnerability

Coordinated Disclosure

The TYPO3 Security Team will coordinate with core mergers or corresponding extension/plugin maintainers and other affected parties. If a security fix is ready, we then will package new releases and announce the fix to the public using various communication channels like:

The TYPO3 Security Team is taking care of requesting CVE IDs (common vulnerability and exposer identifiers). Please do not post or publish vulnerabilties to public issue trackers or discuss it on Slack or Twitter.

Message Encryption

It is possible to send GPG/PGP encrypted emails to [email protected] using key id C05FBE60 (complete fingerprint B41C C3EF 373E 0F5C 7018  7FE9 3BEF BD27 C05F BE60):

TYPO3 Release Dates / "Patchday"

TYPO3 releases (including potential security fixes) are usually released on Tuesdays (except for holidays like Christmas or New Year's Day).

Maintenance releases for stable versions have been scheduled in advance - it is very likely that security fixes are released during these dates as well.

There aren’t any published security advisories