Back to search
CVE-2026-0859
Published: Jan 13, 2026
Modified: Jan 13, 2026
PUBLISHED
Description
TYPO3's mail‑file spool deserialization flaw lets local users with write access to the spool directory craft a malicious file that is deserialized during the mailer:spool:send command, enabling arbitrary PHP code execution on the web server. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.
| Vendor | Product | Versions |
|---|---|---|
TYPO3 | TYPO3 CMS | affected 10.0.0 - < 10.4.55affected 11.0.0 - < 11.5.49affected 12.0.0 - < 12.4.41affected 13.0.0 - < 13.4.23affected 14.0.0 - < 14.0.2 |
Weaknesses (CWE)
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now