Executive Summary

CVE-2026-0859 is a security vulnerability in TYPO3 CMS's mail file spool system where local users with write access to the mail spool directory can create malicious serialized files. These files are deserialized without proper restrictions during the mail sending process, allowing arbitrary PHP code execution on the web server. The root cause was a typo in the allowed classes list used during deserialization, which made the security restriction ineffective. The vulnerability affects multiple TYPO3 versions and was fixed by introducing a new PolymorphicDeserializer component that inspects and validates all classes in the serialized payload before deserialization, ensuring only allowed classes or interfaces are processed. If disallowed classes or syntax errors are detected, deserialization is aborted and errors are logged, preventing unsafe object injection. [1, 2, 3, 4]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker with local write access to the TYPO3 mail spool directory to execute arbitrary PHP code on the web server. This means the attacker could potentially take control of the web server, access sensitive data, modify website content, or perform other malicious actions within the web server's context. The impact is significant as it compromises the security and integrity of the TYPO3 installation and the underlying server environment. [2]

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves checking if your TYPO3 installation is using the file spool transport method for mail sending and if the affected versions are in use. You can verify the TYPO3 version and mail spool configuration by inspecting the TYPO3 configuration files, specifically looking for the setting `$GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_type'] = 'file'`. Additionally, monitoring the mail spool directory for unexpected or suspicious serialized files created by local users with write access can help detect exploitation attempts. Since the vulnerability involves deserialization of malicious files during the `mailer:spool:send` command, you can check logs for errors related to deserialization failures or unexpected class names. Commands to check TYPO3 version and configuration might include: `grep 'transport_spool_type' /path/to/typo3conf/LocalConfiguration.php` and `typo3cms --version` (if CLI tool is available). Also, inspecting the spool directory permissions and contents with `ls -l /path/to/spool/directory` and searching for recently modified files with `find /path/to/spool/directory -type f -mtime -1` can be useful. However, no specific detection commands for malicious serialized payloads are provided in the resources. [2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include updating TYPO3 CMS to a fixed version where the vulnerability is patched. The fixed versions are 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, and 14.0.2 or later. This update includes the introduction of the `PolymorphicDeserializer` component that enforces strict validation of serialized mail spool messages, preventing unsafe deserialization. Additionally, ensure that local users do not have unnecessary write access to the mail spool directory to reduce the risk of crafting malicious serialized files. Follow the TYPO3 Security Guide recommendations for further hardening. If immediate updating is not possible, consider disabling the file spool transport method temporarily or restricting access to the spool directory until the patch can be applied. [2]

Useful 0 Not Useful 0