Description
The extension fails to properly define allowed classes used when deserializing transport failure metadata. An attacker may exploit this to execute untrusted serialized code. Note that an active exploit requires write access to the directory configured at $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_filepath'].
Published: 2026-03-17
Score: 5.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

The TYPO3 extension "Mailqueue" contains an insecure deserialization flaw where it fails to define allowed classes when deserializing transport failure metadata. An attacker who can supply crafted serialized data may be able to execute arbitrary code, a classic Remote Code Execution scenario. This vulnerability is classified as CWE‑502: Deserialization of Untrusted Data.

Affected Systems

All installations of the TYPO3 Mailqueue extension that include the vulnerable deserialization logic may be affected. No specific version list is provided in the CNA data, so all versions should be evaluated until a patch is released.

Risk and Exploitability

The CVSS score of 5.2 indicates moderate severity, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires write access to the directory specified by $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_filepath'], which may limit the attack surface to users with file system write privileges. Nevertheless, the potential for remote code execution warrants immediate attention.

Generated by OpenCVE AI on March 17, 2026 at 10:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the vendor’s website for a patch or updated release of the Mailqueue extension
  • Restrict write permissions on the directory configured at $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_filepath'] to prevent unauthorized serialized data
  • Disable the Mailqueue extension if it is not required for your workflow
  • Monitor application logs for unusual deserialization activity or errors related to the Mailqueue extension
  • Apply general web application hardening practices such as limiting file uploads and implementing least privilege principles

Generated by OpenCVE AI on March 17, 2026 at 10:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2pm6-9fhx-vvg3 The mailqueue TYPO3 extension has Insecure Deserialization in `TransportFailure` class
History

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Typo3
Typo3 extension "mailqueue"
Vendors & Products Typo3
Typo3 extension "mailqueue"

Tue, 17 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
Description The extension fails to properly define allowed classes used when deserializing transport failure metadata. An attacker may exploit this to execute untrusted serialized code. Note that an active exploit requires write access to the directory configured at $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_filepath'].
Title Insecure Deserialization in extension "Mailqueue" (mailqueue)
Weaknesses CWE-502
References
Metrics cvssV4_0

{'score': 5.2, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Typo3 Extension "mailqueue"
cve-icon MITRE

Status: PUBLISHED

Assigner: TYPO3

Published:

Updated: 2026-03-17T13:18:18.900Z

Reserved: 2026-01-22T06:39:32.852Z

Link: CVE-2026-1323

cve-icon Vulnrichment

Updated: 2026-03-17T13:18:13.243Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-17T09:16:13.507

Modified: 2026-03-17T14:20:01.670

Link: CVE-2026-1323

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:49:29Z

Weaknesses