Lookup for vulnerable packages by Package URL.
| Purl | pkg:composer/typo3/cms-core@12.4.35 |
|---|
| Type | composer |
|---|
| Namespace | typo3 |
|---|
| Name | cms-core |
|---|
| Version | 12.4.35 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | true |
|---|
| Next_non_vulnerable_version | 12.4.41 |
|---|
| Latest_non_vulnerable_version | 14.0.2 |
|---|
| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-gyyu-n3b1-zbcj |
| vulnerability_id |
VCID-gyyu-n3b1-zbcj |
| summary |
TYPO3 CMS Allows Insecure Deserialization via Mailer File Spool
### Problem
Local platform users who can write to TYPO3’s mail‑file spool directory can craft a file that the system will automatically deserialize without any class restrictions. This flaw allows an attacker to inject and execute arbitrary PHP code in the public scope of the web server.
The vulnerability is triggered when TYPO3 is configured with `$GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_type'] = 'file';` and a scheduler task or cron job runs the command `mailer:spool:send`. The spool‑send operation performs the insecure deserialization that is at the core of this issue.
### Solution
Update to TYPO3 versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, 14.0.2 that fix the problem described.
### Credits
Thanks to Vitaly Simonovich for reporting this issue, and to TYPO3 security team members Elias Häußler and Oliver Hader for fixing it.
### References
* [TYPO3-CORE-SA-2026-004](https://typo3.org/security/advisory/typo3-core-sa-2026-004) |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-0859 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00029 |
| scoring_system |
epss |
| scoring_elements |
0.0813 |
| published_at |
2026-04-02T12:55:00Z |
|
| 1 |
| value |
0.00029 |
| scoring_system |
epss |
| scoring_elements |
0.08189 |
| published_at |
2026-04-08T12:55:00Z |
|
| 2 |
| value |
0.00029 |
| scoring_system |
epss |
| scoring_elements |
0.0812 |
| published_at |
2026-04-07T12:55:00Z |
|
| 3 |
| value |
0.00029 |
| scoring_system |
epss |
| scoring_elements |
0.08174 |
| published_at |
2026-04-04T12:55:00Z |
|
| 4 |
| value |
0.00039 |
| scoring_system |
epss |
| scoring_elements |
0.11696 |
| published_at |
2026-04-12T12:55:00Z |
|
| 5 |
| value |
0.00039 |
| scoring_system |
epss |
| scoring_elements |
0.11732 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.00039 |
| scoring_system |
epss |
| scoring_elements |
0.11721 |
| published_at |
2026-04-09T12:55:00Z |
|
| 7 |
| value |
0.00039 |
| scoring_system |
epss |
| scoring_elements |
0.1153 |
| published_at |
2026-04-18T12:55:00Z |
|
| 8 |
| value |
0.00039 |
| scoring_system |
epss |
| scoring_elements |
0.11527 |
| published_at |
2026-04-16T12:55:00Z |
|
| 9 |
| value |
0.00039 |
| scoring_system |
epss |
| scoring_elements |
0.1167 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-0859 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-0859, GHSA-7vp9-x248-9vr9
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gyyu-n3b1-zbcj |
|
| 1 |
| url |
VCID-jxw7-skw6-q7bg |
| vulnerability_id |
VCID-jxw7-skw6-q7bg |
| summary |
TYPO3 CMS uses insufficient entropy when generating passwords
A deterministic three‑character prefix in the Password Generation component of TYPO3 CMS versions 12.0.0–12.4.36 and 13.0.0–13.4.17 reduces entropy, allowing attackers to carry out brute‑force attacks more quickly. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-59015 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00034 |
| scoring_system |
epss |
| scoring_elements |
0.09796 |
| published_at |
2026-04-02T12:55:00Z |
|
| 1 |
| value |
0.00034 |
| scoring_system |
epss |
| scoring_elements |
0.09847 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.00035 |
| scoring_system |
epss |
| scoring_elements |
0.10034 |
| published_at |
2026-04-18T12:55:00Z |
|
| 3 |
| value |
0.00035 |
| scoring_system |
epss |
| scoring_elements |
0.10057 |
| published_at |
2026-04-16T12:55:00Z |
|
| 4 |
| value |
0.00036 |
| scoring_system |
epss |
| scoring_elements |
0.10651 |
| published_at |
2026-04-07T12:55:00Z |
|
| 5 |
| value |
0.00036 |
| scoring_system |
epss |
| scoring_elements |
0.10742 |
| published_at |
2026-04-13T12:55:00Z |
|
| 6 |
| value |
0.00036 |
| scoring_system |
epss |
| scoring_elements |
0.10766 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.00036 |
| scoring_system |
epss |
| scoring_elements |
0.10799 |
| published_at |
2026-04-11T12:55:00Z |
|
| 8 |
| value |
0.00036 |
| scoring_system |
epss |
| scoring_elements |
0.10784 |
| published_at |
2026-04-09T12:55:00Z |
|
| 9 |
| value |
0.00036 |
| scoring_system |
epss |
| scoring_elements |
0.10728 |
| published_at |
2026-04-08T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-59015 |
|
| 1 |
| reference_url |
https://github.com/TYPO3-CMS/core |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/TYPO3-CMS/core |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-59015, GHSA-p5jq-5383-qvc7
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jxw7-skw6-q7bg |
|
|
|---|
| Fixing_vulnerabilities |
|
|---|
| Risk_score | 3.1 |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.35 |
|---|