It has been discovered that TYPO3 CMS is vulnerable to HTML injection.

Problem Description

The history backend module is vulnerable to HTML injection. Although Content-Security-Policy headers effectively prevent JavaScript execution, adversaries can still inject malicious HTML markup. Exploiting this vulnerability requires a valid backend user account.


Update to TYPO3 version 13.1.1 that fixes the problem described.


Thanks to TYPO3 core team member Andreas Kienast who reported this issue and to TYPO3 core & security team Benjamin Franzke who fixed the issue.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security-related code changes are tagged so you can easily look them up in our review system.