Deserialization Flaw in TYPO3 Transport Metadata
CVE-2026-1323

5.2MEDIUM

Key Information:

Vendor: Typo3
Status: Extension "mailqueue"
Vendor: CVE Published:; 17 March 2026

What is CVE-2026-1323?

The TYPO3 extensions have a security flaw related to improper handling of allowed classes during the deserialization of transport failure metadata. This vulnerability can potentially allow an attacker to execute untrusted serialized code, given that they possess write access to the directory defined in the TYPO3 configuration for transport spool file paths. Proper precautions should be taken to limit access to sensitive directories and ensure that extensions comply with security best practices.

Affected Version(s)

Extension "Mailqueue" 0 < 0.4.5

Extension "Mailqueue" 0.5.0 < 0.5.2

References

https://typo3.org/security/advisory/typo3-ext-sa-2026-005

vendor-advisory

CVSS V4

Score:

5.2

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 17, 2026
Vulnerability Reserved
Jan 22, 2026

Credit

Elias Häußler

CVE-2026-1323 Data

JSON

Typo3

What is CVE-2026-1323?

Affected Version(s)

References

CVSS V4

Timeline

Credit