CVE-2026-49740
Received Received - Intake
PHP Object Injection in TYPO3 CMS Cache and Registry

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: TYPO3

Description
TYPO3's cache frontend (VariableFrontend) and persistent key-value store (Registry) deserialized PHP payloads without integrity validation or class restrictions. An attacker with write access to the underlying storage backend (cache store or sys_registry database table) could inject a crafted serialized payload to trigger PHP Object Injection, potentially exploiting a gadget chain to achieve Remote Code Execution or other high-impact effects. Exploiting this vulnerability requires direct local write access to the storage, such as the SQL database or file system. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-49740
EUVD
EUVD-2026-35401
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
typo3 typo3 to 10.4.57 (exc)
typo3 typo3 to 11.5.51 (exc)
typo3 typo3 to 12.4.46 (exc)
typo3 typo3 to 13.4.31 (exc)
typo3 typo3 to 14.3.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects TYPO3's cache frontend (VariableFrontend) and persistent key-value store (Registry), which deserialize PHP payloads without verifying their integrity or restricting the classes they contain.

An attacker who has write access to the underlying storage backend, such as the cache store or the sys_registry database table, can inject a specially crafted serialized payload. This can trigger PHP Object Injection, potentially exploiting a gadget chain to achieve Remote Code Execution or other serious impacts.

Exploitation requires direct local write access to the storage, like the SQL database or file system.

Impact Analysis

If exploited, this vulnerability can lead to Remote Code Execution on the affected TYPO3 system.

This means an attacker with write access to the storage backend could execute arbitrary code, potentially compromising the entire system.

Other high-impact effects are also possible through PHP Object Injection, depending on the gadget chain exploited.

Detection Guidance

This vulnerability involves insecure deserialization in TYPO3's cache frontend and persistent key-value store, which requires local write access to the underlying storage such as the SQL database or file system. Detection would involve inspecting these storage backends for suspicious or crafted serialized PHP payloads.

Since exploitation requires direct local write access, detection commands should focus on checking the integrity and contents of the cache storage and sys_registry database table for unexpected or suspicious serialized data.

  • For SQL databases, use queries to inspect the sys_registry table for unusual serialized payloads, for example: SELECT * FROM sys_registry WHERE value LIKE '%O:%'; to find serialized PHP objects.
  • For file system caches, use commands to search for serialized payloads containing PHP object serialization patterns, e.g., grep -r 'O:' /path/to/typo3/cache/

Additionally, monitoring for unexpected write access or modifications to these storage locations can help detect attempts to inject malicious payloads.

Mitigation Strategies

The primary mitigation step is to update TYPO3 CMS to a patched version that addresses this vulnerability. The fixed versions are 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, or 14.3.3 LTS.

The update introduces security measures including the DenyListDeserializer and AuthenticatedMessageDeserializer, which prevent unsafe deserialization by blocking gadget classes and ensuring payload integrity with HMAC.

Until you can update, restrict write access to the underlying storage backends such as the cache store and sys_registry database table to trusted users only, as exploitation requires local write access.

Follow TYPO3 Security Guide recommendations and subscribe to the typo3-announce mailing list for ongoing security updates.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49740. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart