High severity8.8NVD Advisory· Published Mar 17, 2026· Updated Apr 25, 2026
CVE-2026-1323
CVE-2026-1323
Description
The extension fails to properly define allowed classes used when deserializing transport failure metadata. An attacker may exploit this to execute untrusted serialized code. Note that an active exploit requires write access to the directory configured at $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_filepath'].
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
cpsit/typo3-mailqueuePackagist | < 0.4.5 | 0.4.5 |
cpsit/typo3-mailqueuePackagist | >= 0.5.0, < 0.5.2 | 0.5.2 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-2pm6-9fhx-vvg3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-1323ghsaADVISORY
- typo3.org/security/advisory/typo3-ext-sa-2026-005nvdVendor AdvisoryWEB
- github.com/CPS-IT/mailqueue/commit/0f7a1376bbbd8c7658030d02e51c10a85b1dfdf7ghsaWEB
- github.com/CPS-IT/mailqueue/commit/600c7dba99f8eea5f2505b848ee3dd4713440741ghsaWEB
- github.com/CPS-IT/mailqueue/security/advisories/GHSA-2pm6-9fhx-vvg3ghsaWEB
News mentions
0No linked articles in our index yet.