Due to a missing file extension in the fileDenyPattern, backend user are allowed to upload *.pht files which can be executed in certain web server setups. The new default fileDenyPattern is the following, which might have been overridden in the TYPO3 Install Tool.
\.(php[3-7]?|phpsh|phtml|pht)(\..*)?$|^\.htaccess$