Deserialization Flaw in TYPO3 CMS Affects Multiple Versions
CVE-2026-0859

5.2MEDIUM

Key Information:

Vendor: Typo3
Status: Typo3 Cms
Vendor: CVE Published:; 13 January 2026

What is CVE-2026-0859?

A deserialization vulnerability in TYPO3's mail-file spool feature allows local users with write access to create malicious files that may be processed during the mailer:spool:send command. This flaw can lead to arbitrary PHP code execution on the web server, potentially allowing attackers to compromise the integrity and security of the application.

Affected Version(s)

TYPO3 CMS 10.0.0 < 10.4.55

TYPO3 CMS 11.0.0 < 11.5.49

TYPO3 CMS 12.0.0 < 12.4.41

References

https://typo3.org/security/advisory/typo3-core-sa-2026-004

vendor-advisory

https://github.com/TYPO3/typo3/commit/3225d705080a1bde57a...

patch

https://github.com/TYPO3/typo3/commit/e0f0ceee480c203fbb6...

patch

CVSS V4

Score:

5.2

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Jan 13, 2026
Vulnerability Reserved
Jan 12, 2026

Credit

Vitaly Simonovich

Elias Häußler

Oliver Hader

JSON

Typo3

What is CVE-2026-0859?

Affected Version(s)

References

CVSS V4

Timeline

Credit