PT-2026-2638 · Typo3 · Typo3
Elias Häußler
+2
·
Published
2026-01-13
·
Updated
2026-01-14
·
CVE-2026-0859
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
TYPO3 versions 10.0.0 through 10.4.54
TYPO3 versions 11.0.0 through 11.5.48
TYPO3 versions 12.0.0 through 12.4.40
TYPO3 versions 13.0.0 through 13.4.22
TYPO3 versions 14.0.0 through 14.0.1
Description
A flaw exists in TYPO3 that allows local users with write access to the spool directory to execute arbitrary PHP code on the web server. This is possible by crafting a malicious file that is deserialized during the
mailer:spool:send command.Recommendations
Update TYPO3 versions to a version later than 10.4.54.
Update TYPO3 versions to a version later than 11.5.48.
Update TYPO3 versions to a version later than 12.4.40.
Update TYPO3 versions to a version later than 13.4.22.
Update TYPO3 versions to a version later than 14.0.1.
Fix
RCE
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Typo3