What is the CVSS score of CVE-2026-0859?

CVE-2026-0859 has a CVSS 3.1 base score of 7.8 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Typo3 are affected by CVE-2026-0859?

CVE-2026-0859 presents notable security risk, a insecure deserialization vulnerability rated CVSS 7.8.. A patch is available.

How to fix or mitigate CVE-2026-0859?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Restrict deserialization to trusted data sources and implement integrity checks.

Typo3 CVE-2026-0859

HIGH

Deserialization of Untrusted Data (CWE-502)

2026-01-13 f4fb688c-4412-4426-b4b8-421ecf27b14a

GHSA-7vp9-x248-9vr9

Typo3 PHP Deserialization

7.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.8 HIGH

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

Patch released

Jan 14, 2026 - 18:57 nvd

Patch available

CVE Published

Jan 13, 2026 - 12:15 nvd

HIGH 7.8

DescriptionCVE.org

TYPO3's mail‑file spool deserialization flaw lets local users with write access to the spool directory craft a malicious file that is deserialized during the mailer:spool:send command, enabling arbitrary PHP code execution on the web server. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.

AnalysisAI

Arbitrary PHP code execution in TYPO3 CMS versions 10.0.0 through 14.0.1 through unsafe deserialization of mail spool files, allowing local attackers with write access to the spool directory to execute malicious code when the mailer:spool:send command is executed. Affected versions span multiple release lines including 10.x, 11.x, 12.x, 13.x, and 14.x, requiring immediate patching to prevent web server compromise.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Write malicious serialized PHP object to spool directory

Exploit

TYPO3 executes mailer:spool:send command

Execution

Deserialize malicious file without validation

Impact

Execute arbitrary PHP code as web server

Access

Write malicious serialized PHP object to spool directory

Exploit

TYPO3 executes mailer:spool:send command

Execution

Deserialize malicious file without validation

Impact

Execute arbitrary PHP code as web server

Vulnerability AssessmentAI

Exploitation	Local write access to TYPO3 mail-file spool directory. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 7.8 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker could exploit this vulnerability to compromise the affected system.
Remediation	A vendor patch is available — apply it immediately. Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 7 days: Identify all affected systems and apply vendor patches promptly. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-0859 vulnerability details – vuln.today

Back

Typo3 CVE-2026-0859

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code