Insecure Deserialization Vulnerability in TYPO3 FileSpool Extension by TYPO3
CVE-2026-0895

5.2MEDIUM

Key Information:

Vendor

Typo3

Status
Extension "mailqueue"
Vendor
CVE Published:
20 January 2026

What is CVE-2026-0895?

The TYPO3 FileSpool extension is vulnerable to Insecure Deserialization, stemming from its reliance on outdated code from the TYPO3 core. Even if the TYPO3 core has been patched, using this extension can still expose systems to potential attacks due to the inherited flaw. This vulnerability allows malicious actors to manipulate serialized objects, leading to unauthorized actions or data leaks. It is essential for users of this extension to review their implementation and consider applying the necessary patches to mitigate risks. For detailed information, refer to the TYPO3 Core Security Advisory.

Affected Version(s)

Extension "Mailqueue" 0 < 0.4.3

Extension "Mailqueue" 0.5.0 < 0.5.1

References

https://typo3.org/security/advisory/typo3-ext-sa-2026-001
vendor-advisory
https://github.com/CPS-IT/mailqueue/commit/fd09aa4e1a7515...
patch
https://github.com/CPS-IT/mailqueue/commit/12a0a35027bb56...
patch

CVSS V4

Score:
5.2
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Elias Häußler
Elias Häußler
JSON
.