Description
TYPO3's mail‑file spool deserialization flaw lets local users with write access to the spool directory craft a malicious file that is deserialized during the mailer:spool:send command, enabling arbitrary PHP code execution on the web server. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.
Published: 2026-01-13
Score: 5.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Arbitrary PHP Code Execution via Insecure Deserialization
Action: Patch
AI Analysis

Impact

The vulnerability arises from the mail‑file spool deserialization process in TYPO3 CMS. A local user who can write to the spool directory can place a crafted file that is deserialized when the mailer:spool:send command runs. During deserialization, PHP code embedded in the file is executed on the server, giving the attacker arbitrary PHP code execution on the web server. The flaw is a classic instance of insecure deserialization, identified as CWE‑502.

Affected Systems

TYPO3 CMS is affected. The vulnerable releases are 10.0.0 through 10.4.54, 11.0.0 through 11.5.48, 12.0.0 through 12.4.40, 13.0.0 through 13.4.22, and 14.0.0 through 14.0.1. All versions in these ranges are at risk if the spool directory is writable by local users.

Risk and Exploitability

The CVSS base score of 5.2 indicates moderate severity. The EPSS score is less than 1 %, suggesting a very low exploitation probability under current conditions, and the issue is not yet listed in CISA’s KEV catalog. The primary attack vector is local; an attacker must have file‑system write access to the spool directory. If the spool directory is exposed to users with such privileges, the attacker can trigger code execution by running the spool send command. While the likelihood is low, the impact of successful exploitation would be complete compromise of the affected CMS installation.

Generated by OpenCVE AI on April 18, 2026 at 16:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest TYPO3 CMS patch that addresses the mail‑file spool deserialization flaw or upgrade to a version newer than 14.0.1.
  • Restrict write permissions on the mailer spool directory so that only trusted system accounts can create or modify files there.
  • If an immediate patch or upgrade cannot be applied, consider moving the spool processing to a separate, restricted environment or disabling the spool send command until the issue is resolved.

Generated by OpenCVE AI on April 18, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7vp9-x248-9vr9 TYPO3 CMS Allows Insecure Deserialization via Mailer File Spool
History

Wed, 14 Jan 2026 19:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 13 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
Description TYPO3's mail‑file spool deserialization flaw lets local users with write access to the spool directory craft a malicious file that is deserialized during the mailer:spool:send command, enabling arbitrary PHP code execution on the web server. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.
Title TYPO3 CMS Allows Insecure Deserialization via Mailer File Spool
First Time appeared Typo3
Typo3 typo3
Weaknesses CWE-502
CPEs cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*
Vendors & Products Typo3
Typo3 typo3
References
Metrics cvssV4_0

{'score': 5.2, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Typo3 Typo3
cve-icon MITRE

Status: PUBLISHED

Assigner: TYPO3

Published:

Updated: 2026-01-13T14:12:12.132Z

Reserved: 2026-01-12T11:25:46.041Z

Link: CVE-2026-0859

cve-icon Vulnrichment

Updated: 2026-01-13T14:11:58.501Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-13T12:15:50.383

Modified: 2026-01-14T18:57:50.443

Link: CVE-2026-0859

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:30:05Z

Weaknesses