Description
The extension extends TYPO3’ FileSpool component, which was vulnerable to Insecure Deserialization prior to TYPO3-CORE-SA-2026-004 https://typo3.org/security/advisory/typo3-core-sa-2026-004 . Since the related fix is overwritten by the extension, using the extension with a patched TYPO3 core version still allows for Insecure Deserialization, because the affected vulnerable code was extracted from TYPO3 core to the extension. More information about this vulnerability can be found in the related TYPO3 Core Security Advisory TYPO3-CORE-SA-2026-004 https://typo3.org/security/advisory/typo3-core-sa-2026-004 .
Published: 2026-01-20
Score: 5.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Insecure Deserialization
Action: Apply Patch
AI Analysis

Impact

The Mailqueue extension for TYPO3 incorporates a component of the core FileSpool that was known to allow insecure deserialization, a flaw that enables an attacker to craft serialized objects that, when deserialized, can trigger arbitrary code execution or other malicious behavior. The core vulnerability was addressed in TYPO3‑CORE‑SA‑2026‑004, but the fix was overwritten by the extension, meaning that installations using the patched core with this extension remain vulnerable. This flaw could allow an attacker to compromise the entire web application or execute commands on the server if the input is processed without proper validation.

Affected Systems

Any system hosting TYPO3 with the Mailqueue extension is potentially affected, regardless of the core version, because the vulnerable code has been extracted from the core into the extension. No specific version ranges are listed, so all publicly released versions of the Mailqueue extension are considered at risk until a patched version is available. Users should verify that both the core and the extension are updated to the latest releases once a fix is released.

Risk and Exploitability

The CVSS score of 5.2 indicates a medium severity, while the EPSS score of less than 1% denotes a very low probability of exploitation under typical circumstances. The flaw is listed as not in the KEV catalogue. The likely attack vector is remote, via the extension’s interfaces that accept serialized input. An attacker would need to provide a crafted serialized payload, potentially through form submissions or API calls handled by the extension. The exploit would succeed if the extension does not enforce strict input validation or limit deserialization to trusted data, enabling arbitrary code execution or privilege escalation on the target system.

Generated by OpenCVE AI on April 18, 2026 at 04:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Mailqueue extension to the latest version that incorporates the TYPO3 core deserialization fix, or remove the extension if an update is not available.
  • Ensure that the TYPO3 core itself is patched to the latest release that includes TYPO3‑CORE‑SA‑2026‑004 so that the underlying deserialization flaw is mitigated.
  • If the extension cannot be updated or removed, apply a temporary mitigation by restricting the extension’s input sources to trusted origins and disabling any deserialization functionality until a permanent fix is deployed.

Generated by OpenCVE AI on April 18, 2026 at 04:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-ggff-9mj3-7246 mailqueue TYPO3 extension affected by Insecure Deserialization in QueueableFileTransport
History

Wed, 21 Jan 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Typo3
Typo3 mailqueue
Vendors & Products Typo3
Typo3 mailqueue

Tue, 20 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 07:45:00 +0000

Type Values Removed Values Added
Description The extension extends TYPO3’ FileSpool component, which was vulnerable to Insecure Deserialization prior to TYPO3-CORE-SA-2026-004 https://typo3.org/security/advisory/typo3-core-sa-2026-004 . Since the related fix is overwritten by the extension, using the extension with a patched TYPO3 core version still allows for Insecure Deserialization, because the affected vulnerable code was extracted from TYPO3 core to the extension. More information about this vulnerability can be found in the related TYPO3 Core Security Advisory TYPO3-CORE-SA-2026-004 https://typo3.org/security/advisory/typo3-core-sa-2026-004 .
Title Insecure Deserialization in extension "Mailqueue" (mailqueue)
Weaknesses CWE-502
References
Metrics cvssV4_0

{'score': 5.2, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Typo3 Mailqueue
cve-icon MITRE

Status: PUBLISHED

Assigner: TYPO3

Published:

Updated: 2026-01-20T18:07:10.983Z

Reserved: 2026-01-13T15:24:31.992Z

Link: CVE-2026-0895

cve-icon Vulnrichment

Updated: 2026-01-20T17:58:37.063Z

cve-icon NVD

Status : Deferred

Published: 2026-01-20T08:16:01.883

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0895

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:00:06Z

Weaknesses