Deserialization Flaw in TYPO3 CMS Affects Multiple Versions
CVE-2026-0859

5.2MEDIUM

Key Information:

Vendor

Typo3

Status
Typo3 Cms
Vendor
CVE Published:
13 January 2026

What is CVE-2026-0859?

A deserialization vulnerability in TYPO3's mail-file spool feature allows local users with write access to create malicious files that may be processed during the mailer:spool:send command. This flaw can lead to arbitrary PHP code execution on the web server, potentially allowing attackers to compromise the integrity and security of the application.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

TYPO3 CMS 10.0.0 < 10.4.55

TYPO3 CMS 11.0.0 < 11.5.49

TYPO3 CMS 12.0.0 < 12.4.41

References

https://typo3.org/security/advisory/typo3-core-sa-2026-004
vendor-advisory
https://github.com/TYPO3/typo3/commit/3225d705080a1bde57a...
patch
https://github.com/TYPO3/typo3/commit/e0f0ceee480c203fbb6...
patch

CVSS V4

Score:
5.2
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Vitaly Simonovich
Elias Häußler
Oliver Hader
JSON
.