TYPO3 13.4.18
9 September 2025
TYPO3 version 13.4.18 is now available (security release).
Upgrading to TYPO3 13.4.18
TYPO3 13.4.18 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply TYPO3 updates as new versions are released, or use Installatron's Clone feature to duplicate an existing TYPO3 install to test the 13.4.18 upgrade prior to applying it live. Get started managing your TYPO3 installations with Installatron
What's New in TYPO3 13.4.18
Security
- [SECURITY] Prevent Information Disclosure in record list downloader (thanks to Benjamin Franzke)
- [SECURITY] Avoid displaying version details to unauthorized users (thanks to Oliver Hader)
- [SECURITY] Inherit access to module-related AJAX routes from modules (thanks to Elias Häußler)
- [SECURITY] Prevent information disclosure via filesystem E_WARNING errors (thanks to Andreas Kienast)
- [SECURITY] Avoid reduced entropy during password generation (thanks to Oliver Hader)
- [SECURITY] Properly catch FAL exceptions in ShortcutRepository (thanks to Oliver Hader)
- [SECURITY] Fix open redirection via GeneralUtility::sanitizeLocalUrl (thanks to Benjamin Franzke)
Bug Fixes and Changes
- [TASK] Add more common MIME type replacements and file extensions (thanks to Garvin Hicking)
- [TASK] Do not call non static test methods statically (thanks to Helmut Hummel)
- [DOCS] Fix Linkvalidator Code Example (thanks to Lukas Niestroj)
- [TASK] Replace deprecated SplObjectStorage method calls (thanks to Stefan Bürk)
- [TASK] Add request to ModifyNewContentElementWizardItemsEvent (thanks to Sebastian Fischer)
- [DOCS] Hyphenated words and fulltext search (thanks to Christian Weiske)
- [BUGFIX] Only show preview button in FormEngine when configured (thanks to Benni Mack)
- [BUGFIX] Do not cast hook arguments in DataHandler (thanks to Benni Mack)
- [TASK] Update Fluid Standalone to 4.4.3 (thanks to Simon Praetorius)
- [BUGFIX] Ensure correct type of fluidAdditionalAttributes (thanks to Simon Praetorius)
- [DOCS] Fix FQN of \TYPO3\CMS\Core\Resource\Folder in changelog (thanks to Lina Wolf)
- [BUGFIX] Avoid appending multiple referrer-refresh query parameters (thanks to Oliver Hader)
- [BUGFIX] Use array accessors inside \TYPO3\CMS\Core\Type\Map (thanks to Oliver Hader)
- [BUGFIX] Always clone policy in CSP's Policy::prepare (thanks to Oliver Hader)
- [BUGFIX] Show online media headline in File Selector (thanks to Oliver Bartsch)
- [TASK] Enhance Extbase file upload consistency checks (thanks to Oliver Hader)
- [DOCS] Update indexed_search fulltext table documentation (thanks to Christian Weiske)
- [DOCS] Use proper PDO class constant migration changelog example (thanks to Franz Holzinger)
- [DOCS] Mark up BE template API examples as code (thanks to Mathias Brodala)
- [DOCS] Correct migration instructions for TSFE->getLanguage() (thanks to Markus Klein)
- [TASK] Remove some leftover code in DatabaseRecordList (thanks to Benni Mack)
- [BUGFIX] Placeholders in error messages are not replaced (thanks to Simon Schaufelberger)
- [BUGFIX] Respect system time zone in history module (thanks to Sebastian Michaelsen)
- [BUGFIX] Update middleware name in Configuration (thanks to Christian Kuhn)
- [BUGFIX] Do not cast PID of file reference to int in HTML (thanks to Georg Großberger)
- [TASK] Refactor workspace BE module internals (thanks to Christian Kuhn)
- [BUGFIX] Fix access control for sys_file_metadata (thanks to Oliver Bartsch)
- [DOCS] Update Feature-103511-IntroduceExtbaseFileUploadHandling.rst (thanks to Sergio Catalá)
- [BUGFIX] Do not change "web" module state in Info Popup (thanks to Oliver Bartsch)
- [BUGFIX] Restore sort direction from module data (thanks to Oliver Bartsch)
- [BUGFIX] Consider content object cache lifetimes in HTTP cache headers (thanks to Benni Mack)
- [BUGFIX] Catch PHP warning when FlexForm select items config is empty (thanks to Christian Weiske)
- [BUGFIX] Respect subgroups of simulated user group (thanks to Albrecht Köhnlein)
- [BUGFIX] Don't rely on Fluid namespace inheritance (thanks to Simon Praetorius)
- [TASK] Remove deprecated function calls with no effect since PHP 8.0 (thanks to Stefan Bürk)
- [TASK] Update phpunit/phpunit and dependencies (thanks to Stefan Bürk)
- [BUGFIX] Remove defaults from required ViewHelper arguments (thanks to Simon Praetorius)
- [BUGFIX] Re-introduce "danger" severity for CacheAction array shape (thanks to Moritz Ngo)
- [TASK] Add getSoftReferenceKeys() method to Schema Field API (thanks to Oliver Bartsch)
- [TASK] Drop shouldShowPreselectedValueColumn from formeditor (thanks to Benjamin Kott)
- [TASK] CGL: Have basic ordered_class_elements rule (thanks to Christian Kuhn)
- [BUGFIX] Treat page translation as page edit permission (thanks to Lisa Kreitz)
- [BUGFIX] Set live context when generating $liveUrl in PreviewController (thanks to Sebastian Michaelsen)