CVE-2026-0859
Published: 13 January 2026
Summary
CVE-2026-0859 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Typo3 Typo3. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 11.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the deserialization vulnerability by requiring timely patching to fixed TYPO3 versions as specified in the security advisory.
Enforces least privilege to restrict local users' write access to the mail spool directory, blocking the prerequisite for crafting malicious files.
Enables monitoring of the spool directory for unauthorized file modifications indicative of exploitation attempts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local deserialization flaw directly enables privilege escalation via arbitrary code execution (T1068) and facilitates web shell deployment on the CMS server (T1505.003).
NVD Description
TYPO3's mail‑file spool deserialization flaw lets local users with write access to the spool directory craft a malicious file that is deserialized during the mailer:spool:send command, enabling arbitrary PHP code execution on the web server. This issue affects TYPO3 CMS…
more
versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.
Deeper analysisAI
CVE-2026-0859 is a deserialization vulnerability in TYPO3 CMS's mail-file spool mechanism, stemming from improper handling of files in the spool directory. The flaw allows malicious files to be deserialized during execution of the mailer:spool:send command, resulting in arbitrary PHP code execution on the web server. It affects TYPO3 CMS versions 10.0.0 through 10.4.54, 11.0.0 through 11.5.48, 12.0.0 through 12.4.40, 13.0.0 through 13.4.22, and 14.0.0 through 14.0.1, and is classified under CWE-502 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Local users with write access to the TYPO3 mail spool directory can exploit this vulnerability by crafting a malicious file that gets processed during the mailer:spool:send command. Successful exploitation enables attackers to execute arbitrary PHP code with the privileges of the web server process, potentially leading to full compromise of the TYPO3 instance, including high confidentiality, integrity, and availability impacts.
Mitigation requires updating to patched versions of TYPO3 CMS, as detailed in the official security advisory at https://typo3.org/security/advisory/typo3-core-sa-2026-004. Specific fixes are available in TYPO3 GitHub commits including 3225d705080a1bde57a66689621c947da5a4782f, 722bf71c118b0a8e4f2c2494854437d846799a13, and e0f0ceee480c203fbb60b87454f5f193e541d27f. Security practitioners should restrict write access to the spool directory where possible and monitor for unauthorized file modifications.
Details
- CWE(s)