Deserialization in Typo3 Cms

CVE-2026-0859

TYPO3's mail‑file spool deserialization flaw lets local users with write access to the spool directory craft a malicious file that is deserialized during the mailer:spool:send command, enabling arbitrary PHP code execution on the web serve…

Vulnerability class: Insecure Deserialization

EPSS: 0.001 (17.8th percentile) — read the EPSS interpretation.

Affected products

Typo3 Cms — versions 10.0.0, 11.0.0, 12.0.0

Weakness classification (CWE)

CWE-502 — Deserialization of Untrusted Data

References

typo3.org/security/advisory/typo3-core-sa-2026-004 (vendor-advisory)
Git commit of main branch (patch)
Git commit of 13.4 branch (patch)
Git commit of 12.4 branch (patch)