High severity8.8NVD Advisory· Published Mar 17, 2026· Updated Apr 25, 2026

CVE-2026-1323

Description

The extension fails to properly define allowed classes used when deserializing transport failure metadata. An attacker may exploit this to execute untrusted serialized code. Note that an active exploit requires write access to the directory configured at $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_filepath'].

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
cpsit/typo3-mailqueuePackagist	< 0.4.5	0.4.5
cpsit/typo3-mailqueuePackagist	>= 0.5.0, < 0.5.2	0.5.2

Affected products

Cps It/Mailqueue
cpe:2.3:a:cps-it:mailqueue:*:*:*:*:*:typo3:*:*
Range: <0.4.5

Patches

600c7dba99f8

[SECURITY] Harden deserialization in `TransportFailure`

https://github.com/CPS-IT/mailqueueElias HäußlerJan 22, 2026via ghsa

commit

1 file changed · +2 −1

Classes/Mail/TransportFailure.php+2 −1 modified

@@ -60,7 +60,8 @@ public static function fromFile(string $file): self
         }
 
         $failure = unserialize((string)file_get_contents($file), [
-            'allowedClasses' => [
+            'allowed_classes' => [
+                self::class,
                 \DateTimeImmutable::class,
             ],
         ]);

0f7a1376bbbd

[SECURITY] Harden deserialization in `TransportFailure`

https://github.com/CPS-IT/mailqueueElias HäußlerJan 22, 2026via ghsa

commit

1 file changed · +2 −1

Classes/Mail/TransportFailure.php+2 −1 modified

@@ -54,7 +54,8 @@ public static function fromFile(string $file): self
         }
 
         $failure = unserialize((string)file_get_contents($file), [
-            'allowedClasses' => [
+            'allowed_classes' => [
+                self::class,
                 \DateTimeImmutable::class,
             ],
         ]);

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-2pm6-9fhx-vvg3ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-1323ghsaADVISORY
typo3.org/security/advisory/typo3-ext-sa-2026-005nvdVendor AdvisoryWEB
github.com/CPS-IT/mailqueue/commit/0f7a1376bbbd8c7658030d02e51c10a85b1dfdf7ghsaWEB
github.com/CPS-IT/mailqueue/commit/600c7dba99f8eea5f2505b848ee3dd4713440741ghsaWEB
github.com/CPS-IT/mailqueue/security/advisories/GHSA-2pm6-9fhx-vvg3ghsaWEB

News mentions

No linked articles in our index yet.

Severity

HighCVSS v3.1

8.8/ 10

CVSS v45.2

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: Low
User interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: High
Availability: High

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

Probability of exploitation in the next 30 days.

0.12%

VYPR risk score

Composite of severity, exploitation, and reach.

0.50high

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000

Weaknesses

CWE-502
Deserialization of Untrusted Data

CVE ID

CVE-2026-1323

Source code

github.com/CPS-IT/mailqueue

Credits

EH
Elias Häußler
reporter
E
eliashaeussler
remediation_developer · ghsa
EH
Elias Häußler
remediation developer