GHSA-7vp9-x248-9vr9

Source

https://github.com/advisories/GHSA-7vp9-x248-9vr9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-7vp9-x248-9vr9/GHSA-7vp9-x248-9vr9.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-7vp9-x248-9vr9

Aliases

CVE-2026-0859

Published

2026-01-13T21:54:06Z

Modified

2026-01-13T22:26:21.181972Z

Severity

5.2 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H CVSS Calculator

Summary

TYPO3 CMS Allows Insecure Deserialization via Mailer File Spool

Details

Problem

Local platform users who can write to TYPO3’s mail‑file spool directory can craft a file that the system will automatically deserialize without any class restrictions. This flaw allows an attacker to inject and execute arbitrary PHP code in the public scope of the web server.

The vulnerability is triggered when TYPO3 is configured with $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_type'] = 'file'; and a scheduler task or cron job runs the command mailer:spool:send. The spool‑send operation performs the insecure deserialization that is at the core of this issue.

Solution

Update to TYPO3 versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, 14.0.2 that fix the problem described.

Credits

Thanks to Vitaly Simonovich for reporting this issue, and to TYPO3 security team members Elias Häußler and Oliver Hader for fixing it.

References

TYPO3-CORE-SA-2026-004

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-13T21:54:06Z",
    "severity": "MODERATE",
    "nvd_published_at": "2026-01-13T12:15:50Z",
    "cwe_ids": [
        "CWE-502"
    ]
}

References

Affected packages

Packagist / typo3/cms-core

Package

Name: typo3/cms-core
Purl: pkg:composer/typo3/cms-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

14.0.0

Fixed

14.0.2

Affected versions

v14.*

v14.0.0

v14.0.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-7vp9-x248-9vr9/GHSA-7vp9-x248-9vr9.json"

last_known_affected_version_range

"<= 14.0.1"

Packagist / typo3/cms-core

Package

Name: typo3/cms-core
Purl: pkg:composer/typo3/cms-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

13.0.0

Fixed

13.4.23

Affected versions

v13.*

v13.0.0

v13.0.1

v13.1.0

v13.1.1

v13.2.0

v13.2.1

v13.3.0

v13.3.1

v13.4.0

v13.4.1

v13.4.2

v13.4.3

v13.4.4

v13.4.5

v13.4.6

v13.4.7

v13.4.8

v13.4.9

v13.4.10

v13.4.11

v13.4.12

v13.4.13

v13.4.14

v13.4.15

v13.4.16

v13.4.17

v13.4.18

v13.4.19

v13.4.20

v13.4.21

v13.4.22

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-7vp9-x248-9vr9/GHSA-7vp9-x248-9vr9.json"

last_known_affected_version_range

"<= 13.4.22"

Packagist / typo3/cms-core

Package

Name: typo3/cms-core
Purl: pkg:composer/typo3/cms-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

12.0.0

Fixed

12.4.41

Affected versions

v12.*

v12.0.0

v12.1.0

v12.1.1

v12.1.2

v12.1.3

v12.2.0

v12.3.0

v12.4.0

v12.4.1

v12.4.2

v12.4.3

v12.4.4

v12.4.5

v12.4.6

v12.4.7

v12.4.8

v12.4.9

v12.4.10

v12.4.11

v12.4.12

v12.4.13

v12.4.14

v12.4.15

v12.4.16

v12.4.17

v12.4.18

v12.4.19

v12.4.20

v12.4.21

v12.4.22

v12.4.23

v12.4.24

v12.4.25

v12.4.26

v12.4.27

v12.4.28

v12.4.29

v12.4.30

v12.4.31

v12.4.32

v12.4.33

v12.4.34

v12.4.35

v12.4.36

v12.4.37

v12.4.38

v12.4.39

v12.4.40

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-7vp9-x248-9vr9/GHSA-7vp9-x248-9vr9.json"

last_known_affected_version_range

"<= 12.4.40"

Packagist / typo3/cms-core

Package

Name: typo3/cms-core
Purl: pkg:composer/typo3/cms-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

11.0.0

Fixed

11.5.49

Affected versions

v11.*

v11.0.0

v11.1.0

v11.1.1

v11.2.0

v11.3.0

v11.3.1

v11.3.2

v11.3.3

v11.4.0

v11.5.0

v11.5.1

v11.5.2

v11.5.3

v11.5.4

v11.5.5

v11.5.6

v11.5.7

v11.5.8

v11.5.9

v11.5.10

v11.5.11

v11.5.12

v11.5.13

v11.5.14

v11.5.15

v11.5.16

v11.5.17

v11.5.18

v11.5.19

v11.5.20

v11.5.21

v11.5.22

v11.5.23

v11.5.24

v11.5.25

v11.5.26

v11.5.27

v11.5.28

v11.5.29

v11.5.30

v11.5.31

v11.5.32

v11.5.33

v11.5.34

v11.5.35

v11.5.36

v11.5.37

v11.5.38

v11.5.39

v11.5.40

v11.5.41

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-7vp9-x248-9vr9/GHSA-7vp9-x248-9vr9.json"

last_known_affected_version_range

"<= 11.5.48"

Packagist / typo3/cms-core

Package

Name: typo3/cms-core
Purl: pkg:composer/typo3/cms-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

10.0.0

Fixed

10.4.55

Affected versions

v10.*

v10.0.0

v10.1.0

v10.2.0

v10.2.1

v10.2.2

v10.3.0

v10.4.0

v10.4.1

v10.4.2

v10.4.3

v10.4.4

v10.4.5

v10.4.6

v10.4.7

v10.4.8

v10.4.9

v10.4.10

v10.4.11

v10.4.12

v10.4.13

v10.4.14

v10.4.15

v10.4.16

v10.4.17

v10.4.18

v10.4.19

v10.4.20

v10.4.21

v10.4.22

v10.4.23

v10.4.24

v10.4.25

v10.4.26

v10.4.27

v10.4.28

v10.4.29

v10.4.30

v10.4.31

v10.4.32

v10.4.33

v10.4.34

v10.4.36

v10.4.37

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-7vp9-x248-9vr9/GHSA-7vp9-x248-9vr9.json"

last_known_affected_version_range

"<= 10.4.54"