TYPO3 CMS - Insecure Deserialization in Core API
CVE-2026-49740

6.3MEDIUM

Key Information:

Vendor: Typo3
Status: Typo3 Cms
Vendor: CVE Published:; 9 June 2026

What is CVE-2026-49740?

TYPO3's cache frontend (VariableFrontend) and persistent key-value store (Registry) deserialized PHP payloads without integrity validation or class restrictions. An attacker with write access to the underlying storage backend (cache store or sys_registry database table) could inject a crafted serialized payload to trigger PHP Object Injection, potentially exploiting a gadget chain to achieve Remote Code Execution or other high-impact effects. Exploiting this vulnerability requires direct local write access to the storage, such as the SQL database or file system. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.

Affected Version(s)

TYPO3 CMS 0 < 10.4.57

TYPO3 CMS 11.0.0 < 11.5.51

TYPO3 CMS 12.0.0 < 12.4.46

References

https://typo3.org/security/advisory/typo3-core-sa-2026-018

vendor-advisory

https://github.com/TYPO3/typo3/commit/48bcf24f31f52cc0b43...

patch

https://github.com/TYPO3/typo3/commit/87cd7c5b710c44d3606...

patch

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 9, 2026
Vulnerability Reserved
Jun 1, 2026

Credit

z3rco

Chowdhury Faizal Ahammed

Rick Larabee

Vitaly Simonovich

Nozomu Sasaki

Mert Akdag

tikket

Shafi Almutairi

Oliver Hader

CVE-2026-49740 Data

JSON

Typo3

What is CVE-2026-49740?

Affected Version(s)

References

CVSS V4

Timeline

Credit