GHSA-c78m-c52x-jgwp
Suggest an improvement- Source
- https://github.com/advisories/GHSA-c78m-c52x-jgwp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-c78m-c52x-jgwp/GHSA-c78m-c52x-jgwp.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-c78m-c52x-jgwp
- Aliases
-
- CVE-2026-49740
- Published
- 2026-06-12T19:09:26Z
- Modified
- 2026-06-12T19:15:19.376159836Z
- Severity
-
- 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H CVSS Calculator
- Summary
- TYPO3 CMS has Insecure Deserialization via Core API
- Details
-
Problem
TYPO3's cache frontend (
VariableFrontend) and persistent key-value store (Registry) deserialized PHP payloads without integrity validation or class restrictions. An attacker with write access to the underlying storage backend (cache store or sys_registry database table) could inject a crafted serialized payload to trigger PHP Object Injection, potentially exploiting a gadget chain to achieve Remote Code Execution or other high-impact effects.Exploiting this vulnerability requires direct local write access to the storage, such as the SQL database or file system.
Solution
Update to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, 14.3.3 LTS that fix the problem described.
Credits
TYPO3 CMS thanks “z3rco”, Chowdhury Faizal Ahammed, Rick Larabee, Vitaly Simonovich, Nozomu Sasaki, Mert Akdag, “tikket”, Shafi Almutairi for reporting this issue, and to TYPO3 core & security team member Oliver Hader for fixing it.
Resources
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-06-12T19:09:26Z", "nvd_published_at": "2026-06-09T11:16:53Z", "severity": "MODERATE", "cwe_ids": [ "CWE-502" ] }- References
-
- https://github.com/TYPO3/typo3/security/advisories/GHSA-c78m-c52x-jgwp
- https://nvd.nist.gov/vuln/detail/CVE-2026-49740
- https://github.com/TYPO3/typo3/commit/48bcf24f31f52cc0b43d3bea4984634bd2cf85c7
- https://github.com/TYPO3/typo3/commit/87cd7c5b710c44d3606fed277b040a75dc6a9c02
- https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2026-49740.yaml
- https://github.com/TYPO3/typo3
- https://typo3.org/security/advisory/typo3-core-sa-2026-018
Affected packages
Packagist / typo3/cms-core
Package
- Name
- typo3/cms-core
- Purl
- pkg:composer/typo3%2Fcms-core
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed10.4.57
Affected versions
v8.*
v8.7.7
v8.7.8
v8.7.9
v8.7.10
v8.7.11
v8.7.12
v8.7.13
v8.7.14
v8.7.15
v8.7.16
v8.7.17
v8.7.18
v8.7.19
v8.7.20
v8.7.21
v8.7.22
v8.7.23
v8.7.24
v8.7.25
v8.7.26
v8.7.27
v8.7.28
v8.7.29
v8.7.30
v8.7.31
v8.7.32
v9.*
v9.0.0
v9.1.0
v9.2.0
v9.2.1
v9.3.0
v9.3.1
v9.3.2
v9.3.3
v9.4.0
v9.5.0
v9.5.1
v9.5.2
v9.5.3
v9.5.4
v9.5.5
v9.5.6
v9.5.7
v9.5.8
v9.5.9
v9.5.10
v9.5.11
v9.5.12
v9.5.13
v9.5.14
v9.5.15
v9.5.16
v9.5.17
v9.5.18
v9.5.19
v9.5.20
v9.5.21
v9.5.22
v9.5.23
v9.5.24
v9.5.25
v9.5.26
v9.5.27
v9.5.28
v9.5.29
v9.5.30
v9.5.31
v10.*
v10.0.0
v10.1.0
v10.2.0
v10.2.1
v10.2.2
v10.3.0
v10.4.0
v10.4.1
v10.4.2
v10.4.3
v10.4.4
v10.4.5
v10.4.6
v10.4.7
v10.4.8
v10.4.9
v10.4.10
v10.4.11
v10.4.12
v10.4.13
v10.4.14
v10.4.15
v10.4.16
v10.4.17
v10.4.18
v10.4.19
v10.4.20
v10.4.21
v10.4.22
v10.4.23
v10.4.24
v10.4.25
v10.4.26
v10.4.27
v10.4.28
v10.4.29
v10.4.30
v10.4.31
v10.4.32
v10.4.33
v10.4.34
v10.4.36
v10.4.37
Packagist / typo3/cms-core
Package
- Name
- typo3/cms-core
- Purl
- pkg:composer/typo3%2Fcms-core
Affected versions
v11.*
v11.0.0
v11.1.0
v11.1.1
v11.2.0
v11.3.0
v11.3.1
v11.3.2
v11.3.3
v11.4.0
v11.5.0
v11.5.1
v11.5.2
v11.5.3
v11.5.4
v11.5.5
v11.5.6
v11.5.7
v11.5.8
v11.5.9
v11.5.10
v11.5.11
v11.5.12
v11.5.13
v11.5.14
v11.5.15
v11.5.16
v11.5.17
v11.5.18
v11.5.19
v11.5.20
v11.5.21
v11.5.22
v11.5.23
v11.5.24
v11.5.25
v11.5.26
v11.5.27
v11.5.28
v11.5.29
v11.5.30
v11.5.31
v11.5.32
v11.5.33
v11.5.34
v11.5.35
v11.5.36
v11.5.37
v11.5.38
v11.5.39
v11.5.40
v11.5.41
Packagist / typo3/cms-core
Package
- Name
- typo3/cms-core
- Purl
- pkg:composer/typo3%2Fcms-core
Affected versions
v12.*
v12.0.0
v12.1.0
v12.1.1
v12.1.2
v12.1.3
v12.2.0
v12.3.0
v12.4.0
v12.4.1
v12.4.2
v12.4.3
v12.4.4
v12.4.5
v12.4.6
v12.4.7
v12.4.8
v12.4.9
v12.4.10
v12.4.11
v12.4.12
v12.4.13
v12.4.14
v12.4.15
v12.4.16
v12.4.17
v12.4.18
v12.4.19
v12.4.20
v12.4.21
v12.4.22
v12.4.23
v12.4.24
v12.4.25
v12.4.26
v12.4.27
v12.4.28
v12.4.29
v12.4.30
v12.4.31
v12.4.32
v12.4.33
v12.4.34
v12.4.35
v12.4.36
v12.4.37
v12.4.38
v12.4.39
v12.4.40
v12.4.41
v12.4.42
v12.4.43
v12.4.44
v12.4.45
Packagist / typo3/cms-core
Package
- Name
- typo3/cms-core
- Purl
- pkg:composer/typo3%2Fcms-core
Affected versions
v13.*
v13.0.0
v13.0.1
v13.1.0
v13.1.1
v13.2.0
v13.2.1
v13.3.0
v13.3.1
v13.4.0
v13.4.1
v13.4.2
v13.4.3
v13.4.4
v13.4.5
v13.4.6
v13.4.7
v13.4.8
v13.4.9
v13.4.10
v13.4.11
v13.4.12
v13.4.13
v13.4.14
v13.4.15
v13.4.16
v13.4.17
v13.4.18
v13.4.19
v13.4.20
v13.4.21
v13.4.22
v13.4.23
v13.4.24
v13.4.25
v13.4.26
v13.4.27
v13.4.28
v13.4.29
v13.4.30
Packagist / typo3/cms-core
Package
- Name
- typo3/cms-core
- Purl
- pkg:composer/typo3%2Fcms-core