Skip to main content

Early Access — Mondoo Vulnerability Intelligence is currently in preview.

Mondoo Vulnerability Intelligence

Curated by Mondoo Research, enhanced with AI

Resources

Search Vulnerabilities
Trending CVEs
Browse Ecosystems
Terminology
Blog

Open Source

cnquery
cnspec

Star us on GitHub!

Company

Mondoo Platform
About
Contact

© 2026 Mondoo, Inc.

Privacy Policy Terms of Service Imprint

Vulnerability Intelligence

CVE-2026-0859

MEDIUM5.2

TYPO3 CMS Allows Insecure Deserialization via Mailer File Spool

Published Jan 13, 2026

Modified 3 days ago

No fix available

Details

TYPO3's mail‑file spool deserialization flaw lets local users with write access to the spool directory craft a malicious file that is deserialized during the mailer:spool:send command, enabling arbitrary PHP code execution on the web server. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.

References

FIXhttps://github.com/TYPO3/typo3/commit/3225d705080a1bde57a66689621c947da5a4782f FIXhttps://github.com/TYPO3/typo3/commit/722bf71c118b0a8e4f2c2494854437d846799a13 FIXhttps://github.com/TYPO3/typo3/commit/e0f0ceee480c203fbb60b87454f5f193e541d27f ADVISORYhttps://typo3.org/security/advisory/typo3-core-sa-2026-004 ADVISORYhttps://www.cve.org/CVERecord?id=CVE-2026-0859

CVSS Analysis

CVSS v4.0

5.2

Exploitability

Attack Vector

LocalAV:L

Attack Complexity

LowAC:L

Attack Requirements

PresentAT:P

Privileges Required

LowPR:L

User Interaction

NoneUI:N

Vulnerable System

Vuln. Confidentiality

NoneVC:N

Vuln. Integrity

LowVI:L

Vuln. Availability

NoneVA:N

Subsequent System

Subseq. Confidentiality

HighSC:H

Subseq. Integrity

HighSI:H

Subseq. Availability

HighSA:H

5.2/CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H

Weakness Type (CWE)

Serialization

Deserialization of Untrusted Data

Ecosystems

Timeline

PublishedJan 13, 2026

ModifiedJan 13, 2026

CVE-2026-0859 | Mondoo Vulnerability Intelligence