CVE-2026-0859
published 2026-01-13CVE-2026-0859: TYPO3's mail‑file spool deserialization flaw lets local users with write access to the spool directory craft a malicious file that is deserialized during the…
PriorityP347high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EPSS
0.17%
6.1th percentile
TYPO3's mail‑file spool deserialization flaw lets local users with write access to the spool directory craft a malicious file that is deserialized during the mailer:spool:send command, enabling arbitrary PHP code execution on the web server. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| typo3 | cms-core | >= 10.0.0 < 10.4.55 | 10.4.55 |
| typo3 | cms-core | >= 11.0.0 < 11.5.49 | 11.5.49 |
| typo3 | cms-core | >= 12.0.0 < 12.4.41 | 12.4.41 |
| typo3 | cms-core | >= 13.0.0 < 13.4.23 | 13.4.23 |
| typo3 | cms-core | >= 14.0.0 < 14.0.2 | 14.0.2 |
| typo3 | typo3 | >= 10.0.0 < 10.4.55 | 10.4.55 |
| typo3 | typo3 | >= 11.0.0 < 11.5.49 | 11.5.49 |
| typo3 | typo3 | >= 12.0.0 < 12.4.41 | 12.4.41 |
| typo3 | typo3 | >= 13.0.0 < 13.4.23 | 13.4.23 |
| typo3 | typo3 | >= 14.0.0 < 14.0.2 | 14.0.2 |
| typo3 | typo3_cms | >= 10.0.0 < 10.4.55 | 10.4.55 |
| typo3 | typo3_cms | >= 11.0.0 < 11.5.49 | 11.5.49 |
| typo3 | typo3_cms | >= 12.0.0 < 12.4.41 | 12.4.41 |
| typo3 | typo3_cms | >= 13.0.0 < 13.4.23 | 13.4.23 |
| typo3 | typo3_cms | >= 14.0.0 < 14.0.2 | 14.0.2 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.05.2MEDIUMCVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
TYPO3 CMS Allows Insecure Deserialization via Mailer File Spool
ghsa·2026-01-13
CVE-2026-0859 [MEDIUM] CWE-502 TYPO3 CMS Allows Insecure Deserialization via Mailer File Spool
TYPO3 CMS Allows Insecure Deserialization via Mailer File Spool
### Problem
Local platform users who can write to TYPO3’s mail‑file spool directory can craft a file that the system will automatically deserialize without any class restrictions. This flaw allows an attacker to inject and execute arbitrary PHP code in the public scope of the web server.
The vulnerability is triggered when TYPO3 is configured with `$GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_type'] = 'file';` and a scheduler task or cron job runs the command `mailer:spool:send`. The spool‑send operation performs the insecure deserialization that is at the core of this issue.
### Solution
Update to TYPO3 versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, 14.0.2 that fix the problem described.
### Credit
OSV
TYPO3 CMS Allows Insecure Deserialization via Mailer File Spool
osv·2026-01-13
CVE-2026-0859 [MEDIUM] TYPO3 CMS Allows Insecure Deserialization via Mailer File Spool
TYPO3 CMS Allows Insecure Deserialization via Mailer File Spool
### Problem
Local platform users who can write to TYPO3’s mail‑file spool directory can craft a file that the system will automatically deserialize without any class restrictions. This flaw allows an attacker to inject and execute arbitrary PHP code in the public scope of the web server.
The vulnerability is triggered when TYPO3 is configured with `$GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_type'] = 'file';` and a scheduler task or cron job runs the command `mailer:spool:send`. The spool‑send operation performs the insecure deserialization that is at the core of this issue.
### Solution
Update to TYPO3 versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, 14.0.2 that fix the problem described.
### Credit
No detection rules found.
No public exploits indexed.
2026-01-13
Published