Skip to main content

TYPO3 CMS CVE-2026-49740

| EUVD-2026-35401 MEDIUM
Deserialization of Untrusted Data (CWE-502)
2026-06-09 f4fb688c-4412-4426-b4b8-421ecf27b14a GHSA-c78m-c52x-jgwp
PHP Deserialization RCE
6.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 09, 2026 - 13:01 EUVD
Source Code Evidence Fetched
Jun 09, 2026 - 11:41 vuln.today
Analysis Generated
Jun 09, 2026 - 11:41 vuln.today

DescriptionCVE.org

TYPO3's cache frontend (VariableFrontend) and persistent key-value store (Registry) deserialized PHP payloads without integrity validation or class restrictions. An attacker with write access to the underlying storage backend (cache store or sys_registry database table) could inject a crafted serialized payload to trigger PHP Object Injection, potentially exploiting a gadget chain to achieve Remote Code Execution or other high-impact effects. Exploiting this vulnerability requires direct local write access to the storage, such as the SQL database or file system. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.

AnalysisAI

PHP Object Injection in TYPO3 CMS's cache frontend (VariableFrontend) and persistent key-value store (Registry) exposes TYPO3 installations to potential Remote Code Execution when an attacker controls write access to the underlying storage layer. The root cause is bare PHP unserialize() calls on storage-retrieved data without HMAC integrity validation or class allowlists, meaning attacker-controlled data in the sys_registry table or cache backend can trigger deserialization of crafted PHP objects through a gadget chain. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain write access to TYPO3 database or cache filesystem
Delivery
Inject crafted serialized PHP object into sys_registry or VariableFrontend cache store
Exploit
TYPO3 reads payload and calls bare unserialize() without HMAC or class validation
Execution
PHP Object Injection activates available gadget chain
Impact
Execute arbitrary code as web server process
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires authenticated, local write access to TYPO3's storage layer - specifically, direct write capability to either the `sys_registry` database table or the persistent cache storage backend (file system or database) used by `VariableFrontend`. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 6.3 appropriately reflects the local access barrier (AV:L) and low-privilege requirement (PR:L), which materially constrain opportunistic exploitation - unauthenticated internet-facing attackers cannot directly trigger this. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has compromised TYPO3's database credentials - for example, through a SQL injection flaw in a third-party extension, a reused credential from another breach, or direct server access - connects to the database and inserts a crafted PHP serialized object into the `sys_registry` table's `entry_value` column. On the next TYPO3 request that triggers `Registry::loadEntriesByNamespace()`, the payload is deserialized without class restrictions, a gadget chain present among TYPO3's loaded dependencies is activated, and arbitrary code executes under the web server process account. …
Remediation Upgrade TYPO3 CMS to a patched release: 10.4.57 for the 10.4.x branch, 11.5.52 for the 11.x branch, 12.4.47 for the 12.x branch, 13.4.32 for the 13.x branch, or 14.3.4 for the 14.x branch - these versions are inferred from the affected range boundaries and should be confirmed against the vendor advisory at https://typo3.org/security/advisory/typo3-core-sa-2026-018 before deployment. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

CVE-2026-49740 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy