Which versions of Extension Mailqueue are affected by CVE-2026-1323?

CVE-2026-1323 presents moderate security risk, a insecure deserialization vulnerability rated CVSS 5.2. Exploitation could compromise the security of affected deployments.. A patch is available.

Extension Mailqueue CVE-2026-1323

Q: What is the CVSS score of CVE-2026-1323?

CVE-2026-1323 has a CVSS 4.0 base score of 5.2 (Medium). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-12548 MEDIUM

Deserialization of Untrusted Data (CWE-502)

2026-03-17 TYPO3

GHSA-2pm6-9fhx-vvg3

Deserialization Extension Mailqueue

5.2

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.2 MEDIUM

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 17, 2026 - 11:57 euvd

EUVD-2026-12548

Analysis Generated

Mar 17, 2026 - 11:57 vuln.today

CVE Published

Mar 17, 2026 - 08:33 nvd

MEDIUM 5.2

DescriptionCVE.org

The extension fails to properly define allowed classes used when deserializing transport failure metadata. An attacker may exploit this to execute untrusted serialized code. Note that an active exploit requires write access to the directory configured at $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_filepath'].

AnalysisAI

Unsafe deserialization in TYPO3's mail transport extension permits arbitrary code execution when an attacker with write access to the configured spool directory supplies malicious serialized objects during transport failure handling. The vulnerability stems from inadequate class whitelisting during deserialization and requires local filesystem access to exploit. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	Remote code execution, denial of service, or authentication bypass through manipulation of serialized object state. Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker modifies a serialized object (e.g., in a cookie or API parameter) to include malicious payloads that execute during the deserialization process.
Remediation	Avoid deserializing untrusted data. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-1323 vulnerability details – vuln.today

Back