CVE-2026-1323

MEDIUM

Insecure Deserialization in extension "Mailqueue" (mailqueue)

Title source: cna

Description

The extension fails to properly define allowed classes used when deserializing transport failure metadata. An attacker may exploit this to execute untrusted serialized code. Note that an active exploit requires write access to the directory configured at $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_filepath'].

References (1)

[Vendor Advisory] https://typo3.org/security/advisory/typo3-ext-sa-2026-005

Scores

CVSS v4 5.2

EPSS 0.0002

EPSS Percentile 6.2%

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H

Details

CWE

CWE-502

Status published

Products (3)

cpsit/typo3-mailqueue 0 - 0.4.5Packagist

TYPO3/Extension "Mailqueue" < 0.4.5

TYPO3/Extension "Mailqueue" 0.5.0 - 0.5.2

Published Mar 17, 2026

Tracked Since Mar 17, 2026