CVE-2026-0859
📋 TL;DR
This CVE describes a deserialization vulnerability in TYPO3 CMS mail file spool functionality. Local users with write access to the spool directory can craft malicious files that execute arbitrary PHP code when the mailer:spool:send command runs. This affects TYPO3 CMS versions 10.0.0 through 14.0.1.
💻 Affected Systems
- TYPO3 CMS
📦 What is this software?
Typo3 by Typo3
Typo3 by Typo3
Typo3 by Typo3
Typo3 by Typo3
Typo3 by Typo3
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise with arbitrary PHP code execution, leading to data theft, lateral movement, and complete system control.
Likely Case
Privilege escalation from local user to web server user, enabling website defacement, data manipulation, and further exploitation.
If Mitigated
Limited impact if proper file permissions restrict spool directory access and monitoring detects suspicious activity.
🎯 Exploit Status
Exploitation requires local access and knowledge of spool directory location. No public exploit code available at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.4.55, 11.5.49, 12.4.41, 13.4.23, 14.0.2
Vendor Advisory: https://typo3.org/security/advisory/typo3-core-sa-2026-004
Restart Required: No
Instructions:
1. Backup your TYPO3 installation. 2. Update to patched version via Composer: composer require typo3/cms-core:^10.4.55 (adjust version). 3. Clear caches: ./vendor/bin/typo3 cache:flush. 4. Verify update completed successfully.
🔧 Temporary Workarounds
Restrict spool directory permissions
linuxChange file permissions on mail spool directory to prevent unauthorized write access.
chmod 750 typo3temp/var/spool/
chown www-data:www-data typo3temp/var/spool/
Disable mail spool functionality
allConfigure TYPO3 to use direct mail sending instead of spooling.
Set $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport'] = 'smtp' or 'sendmail' in LocalConfiguration.php
🧯 If You Can't Patch
- Restrict access to mail spool directory using file system permissions
- Monitor spool directory for unauthorized file creation
🔍 How to Verify
Check if Vulnerable:
Check TYPO3 version: ./vendor/bin/typo3 --version. If version falls within affected ranges, system is vulnerable.Check Version:
./vendor/bin/typo3 --versionVerify Fix Applied:
Verify version is patched: ./vendor/bin/typo3 --version should show 10.4.55+, 11.5.49+, 12.4.41+, 13.4.23+, or 14.0.2+.📡 Detection & Monitoring
Log Indicators:
- Unusual files in typo3temp/var/spool/ directory
- Errors in TYPO3 logs related to mail spool deserialization
- Unexpected PHP execution from spool directory
Network Indicators:
- Outbound connections from web server after mail spool processing
SIEM Query:
source="typo3.log" AND "mailer:spool:send" AND error