Description

TYPO3's mail‑file spool deserialization flaw lets local users with write access to the spool directory craft a malicious file that is deserialized during the mailer:spool:send command, enabling arbitrary PHP code execution on the web server. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.

INFO

Published Date :

2026-01-13T11:54:11.494Z

Last Modified :

2026-01-13T14:12:12.132Z

Source :

TYPO3
AFFECTED PRODUCTS

The following products are affected by CVE-2026-0859 vulnerability.

Vendors Products
Typo3
  • Typo3
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-0859.

URL Resource
https://github.com/TYPO3/typo3/commit/3225d705080a1bde57a66689621c947da5a4782f cve-icon cve-icon
https://github.com/TYPO3/typo3/commit/722bf71c118b0a8e4f2c2494854437d846799a13 cve-icon cve-icon
https://github.com/TYPO3/typo3/commit/e0f0ceee480c203fbb60b87454f5f193e541d27f cve-icon cve-icon
https://typo3.org/security/advisory/typo3-core-sa-2026-004 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability