Description
TYPO3's cache frontend (VariableFrontend) and persistent key-value store (Registry) deserialized PHP payloads without integrity validation or class restrictions. An attacker with write access to the underlying storage backend (cache store or sys_registry database table) could inject a crafted serialized payload to trigger PHP Object Injection, potentially exploiting a gadget chain to achieve Remote Code Execution or other high-impact effects. Exploiting this vulnerability requires direct local write access to the storage, such as the SQL database or file system. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.
Published: 2026-06-09
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

TYPO3’s VariableFrontend cache and Registry key‑value store deserialize PHP payloads without integrity checks or class restrictions, creating a PHP Object Injection flaw. An attacker with write access to the cache backend or the sys_registry database can inject a crafted payload that may trigger a gadget chain, leading to remote code execution or other serious impacts. The flaw is grounded in CWE‑502, which highlights unsafe deserialization.

Affected Systems

TYPO3 CMS installations running any version prior to 10.4.57, 11.0.0‑11.5.51, 12.0.0‑12.4.46, 13.0.0‑13.4.31 or 14.0.0‑14.3.3 are impacted. The vulnerability resides in the core API that handles cache and registry serialization.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity, yet the potential for remote code execution makes the risk higher. The EPSS score is not available, and the entry is not listed in the CISA KEV catalog. Exploitation requires direct local write access to the storage medium—either the SQL database or the file system—if an attacker can write to the cache store or sys_registry table, the vulnerability becomes exploitable. The likely attack vector is a local compromise that upgrades the attacker’s privileges to write to the backend storage.

Generated by OpenCVE AI on June 9, 2026 at 12:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest TYPO3 release that includes the fix for this deserialization issue (versions 10.4.57 and above, 11.5.51 and above, 12.4.46 and above, 13.4.31 and above, 14.3.3 and above).
  • Restrict write permissions on the cache backend and the sys_registry table so that only trusted processes can modify these storage areas. Implement file system or database access controls to prevent unauthorized write operations.
  • Enable logging and monitor for unusual patterns of PHP object deserialization or unexpected content in the cache and registry storage to detect potential abuse early.

Generated by OpenCVE AI on June 9, 2026 at 12:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description TYPO3's cache frontend (VariableFrontend) and persistent key-value store (Registry) deserialized PHP payloads without integrity validation or class restrictions. An attacker with write access to the underlying storage backend (cache store or sys_registry database table) could inject a crafted serialized payload to trigger PHP Object Injection, potentially exploiting a gadget chain to achieve Remote Code Execution or other high-impact effects. Exploiting this vulnerability requires direct local write access to the storage, such as the SQL database or file system. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.
Title TYPO3 CMS - Insecure Deserialization in Core API
First Time appeared Typo3
Typo3 typo3
Weaknesses CWE-502
CPEs cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*
Vendors & Products Typo3
Typo3 typo3
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Typo3 Typo3
cve-icon MITRE

Status: PUBLISHED

Assigner: TYPO3

Published:

Updated: 2026-06-09T13:40:40.839Z

Reserved: 2026-06-01T10:52:50.597Z

Link: CVE-2026-49740

cve-icon Vulnrichment

Updated: 2026-06-09T13:40:37.814Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T11:16:53.380

Modified: 2026-06-09T13:46:50.540

Link: CVE-2026-49740

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:15:06Z

Weaknesses