CVE-2026-1323

Source
https://cve.org/CVERecord?id=CVE-2026-1323
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-1323.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-1323
Aliases
Published
2026-03-17T08:33:05.160Z
Modified
2026-07-08T08:12:40.284738178Z
Severity
  • 5.2 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H CVSS Calculator
Summary
Insecure Deserialization in extension "Mailqueue" (mailqueue)
Details

The extension fails to properly define allowed classes used when deserializing transport failure metadata. An attacker may exploit this to execute untrusted serialized code. Note that an active exploit requires write access to the directory configured at $GLOBALS['TYPO3CONFVARS']['MAIL']['transportspoolfilepath'].

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/1xxx/CVE-2026-1323.json",
    "cna_assigner": "TYPO3",
    "cwe_ids": [
        "CWE-502"
    ]
}
References

Affected packages

Git / github.com/cps-it/mailqueue

Affected ranges

Type
GIT
Repo
https://github.com/cps-it/mailqueue
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Introduced
Fixed
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:cps-it:mailqueue:*:*:*:*:*:typo3:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.4.5"
        },
        {
            "introduced": "0.5.0"
        },
        {
            "fixed": "0.5.2"
        }
    ]
}

Affected versions

0.*
0.1.0
0.1.1
0.1.2
0.1.3
0.2.0
0.2.1
0.3.0
0.3.1
0.3.2
0.4.0
0.4.1
0.4.2
0.4.3
0.4.4
0.5.0
0.5.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-1323.json"