{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0859", "assignerOrgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "state": "PUBLISHED", "assignerShortName": "TYPO3", "dateReserved": "2026-01-12T11:25:46.041Z", "datePublished": "2026-01-13T11:54:11.494Z", "dateUpdated": "2026-01-13T14:12:12.132Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://packagist.org", "defaultStatus": "unaffected", "modules": ["Core"], "packageName": "typo3/cms-core", "product": "TYPO3 CMS", "repo": "https://github.com/TYPO3/typo3", "vendor": "TYPO3", "versions": [{"lessThan": "10.4.55", "status": "affected", "version": "10.0.0", "versionType": "semver"}, {"lessThan": "11.5.49", "status": "affected", "version": "11.0.0", "versionType": "semver"}, {"lessThan": "12.4.41", "status": "affected", "version": "12.0.0", "versionType": "semver"}, {"lessThan": "13.4.23", "status": "affected", "version": "13.0.0", "versionType": "semver"}, {"lessThan": "14.0.2", "status": "affected", "version": "14.0.0", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.4.55", "versionStartIncluding": "10.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "versionEndExcluding": "11.5.49", "versionStartIncluding": "11.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "versionEndExcluding": "12.4.41", "versionStartIncluding": "12.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "versionEndExcluding": "13.4.23", "versionStartIncluding": "13.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "versionEndExcluding": "14.0.2", "versionStartIncluding": "14.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "credits": [{"lang": "en", "type": "reporter", "value": "Vitaly Simonovich"}, {"lang": "en", "type": "remediation developer", "value": "Elias H\u00e4u\u00dfler"}, {"lang": "en", "type": "remediation developer", "value": "Oliver Hader"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "TYPO3's mail\u2011file spool deserialization flaw lets local users with write access to the spool directory craft a malicious file that is deserialized during the <code>mailer:spool:send</code> command, enabling arbitrary PHP code execution on the web server. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1."}], "value": "TYPO3's mail\u2011file spool deserialization flaw lets local users with write access to the spool directory craft a malicious file that is deserialized during the mailer:spool:send command, enabling arbitrary PHP code execution on the web server. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "baseScore": 5.2, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "shortName": "TYPO3", "dateUpdated": "2026-01-13T11:54:25.069Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://typo3.org/security/advisory/typo3-core-sa-2026-004"}, {"name": "Git commit of main branch", "tags": ["patch"], "url": "https://github.com/TYPO3/typo3/commit/3225d705080a1bde57a66689621c947da5a4782f"}, {"name": "Git commit of 13.4 branch", "tags": ["patch"], "url": "https://github.com/TYPO3/typo3/commit/e0f0ceee480c203fbb60b87454f5f193e541d27f"}, {"name": "Git commit of 12.4 branch", "tags": ["patch"], "url": "https://github.com/TYPO3/typo3/commit/722bf71c118b0a8e4f2c2494854437d846799a13"}], "source": {"discovery": "UNKNOWN"}, "title": "TYPO3 CMS Allows Insecure Deserialization via Mailer File Spool", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-13T14:11:54.124321Z", "id": "CVE-2026-0859", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T14:12:12.132Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0859", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-13T14:11:54.124321Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T14:11:58.501Z"}}], "cna": {"title": "TYPO3 CMS Allows Insecure Deserialization via Mailer File Spool", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "Vitaly Simonovich"}, {"lang": "en", "type": "remediation developer", "value": "Elias H\u00e4u\u00dfler"}, {"lang": "en", "type": "remediation developer", "value": "Oliver Hader"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.2, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/TYPO3/typo3", "vendor": "TYPO3", "modules": ["Core"], "product": "TYPO3 CMS", "versions": [{"status": "affected", "version": "10.0.0", "lessThan": "10.4.55", "versionType": "semver"}, {"status": "affected", "version": "11.0.0", "lessThan": "11.5.49", "versionType": "semver"}, {"status": "affected", "version": "12.0.0", "lessThan": "12.4.41", "versionType": "semver"}, {"status": "affected", "version": "13.0.0", "lessThan": "13.4.23", "versionType": "semver"}, {"status": "affected", "version": "14.0.0", "lessThan": "14.0.2", "versionType": "semver"}], "packageName": "typo3/cms-core", "collectionURL": "https://packagist.org", "defaultStatus": "unaffected"}], "references": [{"url": "https://typo3.org/security/advisory/typo3-core-sa-2026-004", "tags": ["vendor-advisory"]}, {"url": "https://github.com/TYPO3/typo3/commit/3225d705080a1bde57a66689621c947da5a4782f", "name": "Git commit of main branch", "tags": ["patch"]}, {"url": "https://github.com/TYPO3/typo3/commit/e0f0ceee480c203fbb60b87454f5f193e541d27f", "name": "Git commit of 13.4 branch", "tags": ["patch"]}, {"url": "https://github.com/TYPO3/typo3/commit/722bf71c118b0a8e4f2c2494854437d846799a13", "name": "Git commit of 12.4 branch", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "TYPO3's mail\u2011file spool deserialization flaw lets local users with write access to the spool directory craft a malicious file that is deserialized during the mailer:spool:send command, enabling arbitrary PHP code execution on the web server. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.", "supportingMedia": [{"type": "text/html", "value": "TYPO3's mail\u2011file spool deserialization flaw lets local users with write access to the spool directory craft a malicious file that is deserialized during the <code>mailer:spool:send</code> command, enabling arbitrary PHP code execution on the web server. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "10.4.55", "versionStartIncluding": "10.0.0"}, {"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "11.5.49", "versionStartIncluding": "11.0.0"}, {"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "12.4.41", "versionStartIncluding": "12.0.0"}, {"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "13.4.23", "versionStartIncluding": "13.0.0"}, {"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "14.0.2", "versionStartIncluding": "14.0.0"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "shortName": "TYPO3", "dateUpdated": "2026-01-13T11:54:25.069Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0859", "state": "PUBLISHED", "dateUpdated": "2026-01-13T14:12:12.132Z", "dateReserved": "2026-01-12T11:25:46.041Z", "assignerOrgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "datePublished": "2026-01-13T11:54:11.494Z", "assignerShortName": "TYPO3"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "matchCriteriaId": "1F66D2E5-38C1-4708-BBEA-6963B2AFEA8B", "versionEndExcluding": "10.4.55", "versionStartIncluding": "10.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "matchCriteriaId": "9E718BBF-B384-4223-A53D-528F77E17DC2", "versionEndExcluding": "11.5.49", "versionStartIncluding": "11.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "matchCriteriaId": "D330992D-8C99-458A-A139-47407B4BBB66", "versionEndExcluding": "12.4.41", "versionStartIncluding": "12.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "matchCriteriaId": "AA2179C6-E438-4413-A717-9112618BA6CF", "versionEndExcluding": "13.4.23", "versionStartIncluding": "13.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "matchCriteriaId": "310C5FCB-6F96-4409-BB9A-E582E18E067A", "versionEndExcluding": "14.0.2", "versionStartIncluding": "14.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "TYPO3's mail\u2011file spool deserialization flaw lets local users with write access to the spool directory craft a malicious file that is deserialized during the mailer:spool:send command, enabling arbitrary PHP code execution on the web server. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1."}], "id": "CVE-2026-0859", "lastModified": "2026-01-14T18:57:50.443", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.2, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "type": "Secondary"}]}, "published": "2026-01-13T12:15:50.383", "references": [{"source": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "tags": ["Patch"], "url": "https://github.com/TYPO3/typo3/commit/3225d705080a1bde57a66689621c947da5a4782f"}, {"source": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "tags": ["Patch"], "url": "https://github.com/TYPO3/typo3/commit/722bf71c118b0a8e4f2c2494854437d846799a13"}, {"source": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "tags": ["Patch"], "url": "https://github.com/TYPO3/typo3/commit/e0f0ceee480c203fbb60b87454f5f193e541d27f"}, {"source": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "tags": ["Vendor Advisory"], "url": "https://typo3.org/security/advisory/typo3-core-sa-2026-004"}], "sourceIdentifier": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T16:24:15.356138+00:00", "value": {"mitigation_remediation": ["Apply the latest TYPO3 CMS patch that addresses the mail\u2011file spool deserialization flaw or upgrade to a version newer than 14.0.1.", "Restrict write permissions on the mailer spool directory so that only trusted system accounts can create or modify files there.", "If an immediate patch or upgrade cannot be applied, consider moving the spool processing to a separate, restricted environment or disabling the spool send command until the issue is resolved."], "summary": {"action": "Patch", "impact": "Local Arbitrary PHP Code Execution via Insecure Deserialization"}, "threat_synthesis": {"affected_systems": "TYPO3 CMS is affected. The vulnerable releases are 10.0.0 through 10.4.54, 11.0.0 through 11.5.48, 12.0.0 through 12.4.40, 13.0.0 through 13.4.22, and 14.0.0 through 14.0.1. All versions in these ranges are at risk if the spool directory is writable by local users.", "description_and_impact": "The vulnerability arises from the mail\u2011file spool deserialization process in TYPO3 CMS. A local user who can write to the spool directory can place a crafted file that is deserialized when the mailer:spool:send command runs. During deserialization, PHP code embedded in the file is executed on the server, giving the attacker arbitrary PHP code execution on the web server. The flaw is a classic instance of insecure deserialization, identified as CWE\u2011502.", "risk_and_exploitability": "The CVSS base score of 5.2 indicates moderate severity. The EPSS score is less than 1\u202f%, suggesting a very low exploitation probability under current conditions, and the issue is not yet listed in CISA\u2019s KEV catalog. The primary attack vector is local; an attacker must have file\u2011system write access to the spool directory. If the spool directory is exposed to users with such privileges, the attacker can trigger code execution by running the spool send command. While the likelihood is low, the impact of successful exploitation would be complete compromise of the affected CMS installation."}}}}, "created": "2026-04-18T16:30:05.083739+00:00", "updated": "2026-04-18T16:30:05.083749+00:00", "vendors": []}