Home

Description

TYPO3's cache frontend (VariableFrontend) and persistent key-value store (Registry) deserialized PHP payloads without integrity validation or class restrictions. An attacker with write access to the underlying storage backend (cache store or sys_registry database table) could inject a crafted serialized payload to trigger PHP Object Injection, potentially exploiting a gadget chain to achieve Remote Code Execution or other high-impact effects. Exploiting this vulnerability requires direct local write access to the storage, such as the SQL database or file system. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.

PUBLISHED Reserved 2026-06-01 | Published 2026-06-09 | Updated 2026-06-09 | Assigner TYPO3




MEDIUM: 6.3CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H

Problem types

CWE-502 Deserialization of Untrusted Data

Product status

Default status
unaffected

Any version before 10.4.57
affected

11.0.0 (semver) before 11.5.51
affected

12.0.0 (semver) before 12.4.46
affected

13.0.0 (semver) before 13.4.31
affected

14.0.0 (semver) before 14.3.3
affected

Credits

z3rco reporter

Chowdhury Faizal Ahammed reporter

Rick Larabee reporter

Vitaly Simonovich reporter

Nozomu Sasaki reporter

Mert Akdag reporter

tikket reporter

Shafi Almutairi reporter

Oliver Hader remediation developer

References

typo3.org/security/advisory/typo3-core-sa-2026-018 vendor-advisory

github.com/...ommit/48bcf24f31f52cc0b43d3bea4984634bd2cf85c7 (Git commit of main branch) patch

github.com/...ommit/87cd7c5b710c44d3606fed277b040a75dc6a9c02 (Git commit of 13.4 branch) patch

cve.org (CVE-2026-49740)

nvd.nist.gov (CVE-2026-49740)

Download JSON