VYPR
Moderate severityOSV Advisory· Published Jan 13, 2026· Updated Jan 13, 2026

TYPO3 CMS Allows Insecure Deserialization via Mailer File Spool

CVE-2026-0859

Description

TYPO3's mail‑file spool deserialization flaw lets local users with write access to the spool directory craft a malicious file that is deserialized during the mailer:spool:send command, enabling arbitrary PHP code execution on the web server. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
typo3/cms-corePackagist
>= 14.0.0, < 14.0.214.0.2
typo3/cms-corePackagist
>= 13.0.0, < 13.4.2313.4.23
typo3/cms-corePackagist
>= 12.0.0, < 12.4.4112.4.41
typo3/cms-corePackagist
>= 11.0.0, < 11.5.4911.5.49
typo3/cms-corePackagist
>= 10.0.0, < 10.4.5510.4.55

Affected products

2

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.