PT-2026-47747 · Typo3 Association · Typo3/Cms
Mert Akdag
+7
·
Published
2026-06-09
·
Updated
2026-06-09
·
CVE-2026-49740
CVSS v4.0
6.3
Medium
| Vector | AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
TYPO3 CMS versions prior to 10.4.57
TYPO3 CMS versions 11.0.0 through 11.5.51
TYPO3 CMS versions 12.0.0 through 12.4.46
TYPO3 CMS versions 13.0.0 through 13.4.31
TYPO3 CMS versions 14.0.0 through 14.3.3
Description
The cache frontend (VariableFrontend) and persistent key-value store (Registry) deserialize PHP payloads without integrity validation or class restrictions. An attacker with write access to the underlying storage backend, such as the file system or the
sys registry database table, can inject a crafted serialized payload to trigger PHP Object Injection. This may allow the exploitation of a gadget chain to achieve Remote Code Execution.Recommendations
Update to version 10.4.57 or later.
Update to version 11.5.52 or later.
Update to version 12.4.47 or later.
Update to version 13.4.32 or later.
Update to version 14.3.4 or later.
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Typo3/Cms