MeldSecurity
Press Enter to search
CVE Database & Search โ†’
Sign In Get Started

CVE-2026-0859

๐Ÿ”ด HIGH

TYPO3's mailโ€‘file spool deserialization flaw lets local users with write access to the spool directory craft a malicious file that is deserialized during the mailer:spool:send command, enabling arbitr...

Published
Jan 13, 2026
Last Modified
Jan 14, 2026
Views
16
Bookmarks
0

Description

Request Expert Review

TYPO3's mailโ€‘file spool deserialization flaw lets local users with write access to the spool directory craft a malicious file that is deserialized during the mailer:spool:send command, enabling arbitrary PHP code execution on the web server. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.

Affected Products (1)

typo3 - typo3

Version: *

CVSS Scores

CVSS 3.1 7.8
7.8
HIGH
CVSS 2.0 7.8

References

github.com github.com github.com typo3.org

Additional Information

Source
f4fb688c-4412-4426-b4b8-421ecf27b14a
State
Analyzed

Related CVEs

CVE-2026-2215

LOW

A vulnerability was detected in rachelos WeRSS we-mp-rss up to 1.4.8. This issue affects some unknown processing of the file core/auth.py of the compo...

Score: 3.7

CVE-2026-2214

LOW

A weakness has been identified in code-projects for Plugin 1.0. This affects an unknown part of the file /Administrator/PHP/AdminAddAlbum.php. This ma...

Score: 2.4

CVE-2026-2213

MEDIUM

A security flaw has been discovered in code-projects Online Music Site 1.0. Affected by this issue is some unknown functionality of the file /Administ...

Score: 4.7

CVE-2026-1615

CRITICAL

All versions of the package jsonpath are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The libr...

Score: 9.8

CVE-2026-2212

HIGH

A vulnerability was identified in code-projects Online Music Site 1.0. Affected by this vulnerability is an unknown functionality of the file /Adminis...

Score: 7.3

CVE-2026-2211

HIGH

A vulnerability was determined in code-projects Online Music Site 1.0. Affected is an unknown function of the file /Administrator/PHP/AdminDeleteCateg...

Score: 7.3

Share CVE-2026-0859

Share on Social Media

Copy Link

Embed Code

Request Expert Analysis

Request a professional security analysis for CVE-2026-0859 from our verified experts.

Credits System

Use your credits to get expert analysis from verified security professionals. Purchase more credits anytime!

Add 3 credits for accelerated delivery

Base Cost: 8 credits
Priority Upgrade: + credits
SLA Acceleration: +3 credits
Total Cost:
Your Balance:

Insufficient Credits

You need more credits to submit this request.

Buy Credits

Report Analysis