CVE-2026-0859 | THREATINT

Description

TYPO3's mail‑file spool deserialization flaw lets local users with write access to the spool directory craft a malicious file that is deserialized during the mailer:spool:send command, enabling arbitrary PHP code execution on the web server. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.

PUBLISHED Reserved 2026-01-12 | Published 2026-01-13 | Updated 2026-01-13 | Assigner TYPO3

MEDIUM: 5.2CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H

Problem types

CWE-502 Deserialization of Untrusted Data

Product status

Default status

unaffected

10.0.0 (semver) before 10.4.55

affected

11.0.0 (semver) before 11.5.49

affected

12.0.0 (semver) before 12.4.41

affected

13.0.0 (semver) before 13.4.23

affected

14.0.0 (semver) before 14.0.2

affected

Credits

Vitaly Simonovich reporter

Elias Häußler remediation developer

Oliver Hader remediation developer

References

typo3.org/security/advisory/typo3-core-sa-2026-004 vendor-advisory

github.com/...ommit/3225d705080a1bde57a66689621c947da5a4782f (Git commit of main branch) patch

github.com/...ommit/e0f0ceee480c203fbb60b87454f5f193e541d27f (Git commit of 13.4 branch) patch

github.com/...ommit/722bf71c118b0a8e4f2c2494854437d846799a13 (Git commit of 12.4 branch) patch

cve.org (CVE-2026-0859)

nvd.nist.gov (CVE-2026-0859)

Download JSON

help @ threatint.eu