Deserialization in Typo3 Extension "Mailqueue"

CVE-2026-0895

The extension extends TYPO3’ FileSpool component, which was vulnerable to Insecure Deserialization prior to TYPO3-CORE-SA-2026-004 https://typo3.org/security/advisory/typo3-core-sa-2026-004 . Since the related fix is overwritten by the ex…

Vulnerability class: Insecure Deserialization

EPSS: 0.001 (22.1th percentile) — read the EPSS interpretation.

Affected products

Typo3 Extension "Mailqueue" — versions 0, 0.5.0

Weakness classification (CWE)

CWE-502 — Deserialization of Untrusted Data

References

typo3.org/security/advisory/typo3-ext-sa-2026-001 (vendor-advisory)
github.com/CPS-IT/mailqueue/commit/fd09aa4e1a751551bae4b228bee814e22f2048db (patch)
github.com/CPS-IT/mailqueue/commit/12a0a35027bb5609917790a94e43bbf117abf733 (patch)