Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/49701?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49701?format=api", "vulnerability_id": "VCID-9tpm-8udy-c3cd", "summary": "TYPO3 CMS Allows Insecure Deserialization via Mailer File Spool\n### Problem\nLocal platform users who can write to TYPO3’s mail‑file spool directory can craft a file that the system will automatically deserialize without any class restrictions. This flaw allows an attacker to inject and execute arbitrary PHP code in the public scope of the web server.\n\nThe vulnerability is triggered when TYPO3 is configured with `$GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_type'] = 'file';` and a scheduler task or cron job runs the command `mailer:spool:send`. The spool‑send operation performs the insecure deserialization that is at the core of this issue.\n\n### Solution\nUpdate to TYPO3 versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, 14.0.2 that fix the problem described.\n\n### Credits\nThanks to Vitaly Simonovich for reporting this issue, and to TYPO3 security team members Elias Häußler and Oliver Hader for fixing it.\n\n### References\n* [TYPO3-CORE-SA-2026-004](https://typo3.org/security/advisory/typo3-core-sa-2026-004)", "aliases": [ { "alias": "CVE-2026-0859" }, { "alias": "GHSA-7vp9-x248-9vr9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73388?format=api", "purl": "pkg:composer/typo3/cms-core@10.4.55", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.55" }, { "url": "http://public2.vulnerablecode.io/api/packages/73387?format=api", "purl": "pkg:composer/typo3/cms-core@11.5.49", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.5.49" }, { "url": "http://public2.vulnerablecode.io/api/packages/73386?format=api", "purl": "pkg:composer/typo3/cms-core@12.4.41", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.41" }, { "url": "http://public2.vulnerablecode.io/api/packages/73385?format=api", "purl": "pkg:composer/typo3/cms-core@13.4.23", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.4.23" }, { "url": "http://public2.vulnerablecode.io/api/packages/73384?format=api", "purl": "pkg:composer/typo3/cms-core@14.0.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@14.0.2" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/58460?format=api", "purl": "pkg:composer/typo3/cms-core@10.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-1sfk-z8py-ykb8" }, { "vulnerability": "VCID-2rhr-8vaz-hqfj" }, { "vulnerability": "VCID-2tz2-8qdm-2kcv" }, { "vulnerability": "VCID-3hta-35zx-zuc4" }, { "vulnerability": "VCID-4an7-9ph4-mkd4" }, { "vulnerability": "VCID-4rfq-u488-sbh5" }, { "vulnerability": "VCID-6a22-c7x5-sqe2" }, { "vulnerability": "VCID-6mnf-2fcw-dqgp" }, { "vulnerability": "VCID-6urp-p9mn-cffv" }, { "vulnerability": "VCID-78ff-k66z-bkh7" }, { "vulnerability": "VCID-7r4g-gxc6-hubh" }, { "vulnerability": "VCID-7snt-7hyt-1fbx" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-8w4e-d49b-nbg8" }, { "vulnerability": "VCID-9tpm-8udy-c3cd" }, { "vulnerability": "VCID-a1g9-pyz5-9fca" }, { "vulnerability": "VCID-an3r-c2yp-1bbd" }, { "vulnerability": "VCID-bbh5-rss8-bfct" }, { "vulnerability": "VCID-bzqv-s7g3-wff9" }, { "vulnerability": "VCID-e6zr-4bgg-kkh5" }, { "vulnerability": "VCID-etcc-43a3-a7ek" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fgkd-jp96-cbcs" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-gxsd-4nd9-gqgn" }, { "vulnerability": "VCID-j8hk-bqnb-gycp" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" }, { "vulnerability": "VCID-myhc-dyh9-xygg" }, { "vulnerability": "VCID-n1gz-y615-cbbk" }, { "vulnerability": "VCID-r3az-g422-gqf9" }, { "vulnerability": "VCID-rzx5-nv6h-qqhg" }, { "vulnerability": "VCID-sdjb-gp4t-vbgt" }, { "vulnerability": "VCID-tgyt-axv1-c7ag" }, { "vulnerability": "VCID-uq77-aax5-k7d8" }, { "vulnerability": "VCID-uua1-9rt1-dfbz" }, { "vulnerability": "VCID-w94g-xxea-23fb" }, { "vulnerability": "VCID-x3n3-tsjh-8kby" }, { "vulnerability": "VCID-y3zj-acc7-jkau" }, { "vulnerability": "VCID-ygw1-vqxg-z3h3" }, { "vulnerability": "VCID-zkvq-bms4-gfcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/58462?format=api", "purl": "pkg:composer/typo3/cms-core@11.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ffs-9vj5-27hk" }, { "vulnerability": "VCID-2rhr-8vaz-hqfj" }, { "vulnerability": "VCID-3hta-35zx-zuc4" }, { "vulnerability": "VCID-6a22-c7x5-sqe2" }, { "vulnerability": "VCID-6mnf-2fcw-dqgp" }, { "vulnerability": "VCID-6urp-p9mn-cffv" }, { "vulnerability": "VCID-7r4g-gxc6-hubh" }, { "vulnerability": "VCID-7snt-7hyt-1fbx" }, { "vulnerability": "VCID-848u-w88s-5bbe" }, { "vulnerability": "VCID-9tpm-8udy-c3cd" }, { "vulnerability": "VCID-a1g9-pyz5-9fca" }, { "vulnerability": "VCID-an3r-c2yp-1bbd" }, { "vulnerability": "VCID-bzqv-s7g3-wff9" }, { "vulnerability": "VCID-c46m-ht19-ybc4" }, { "vulnerability": "VCID-etcc-43a3-a7ek" }, { "vulnerability": "VCID-ev4k-5k1d-2bhu" }, { "vulnerability": "VCID-fgkd-jp96-cbcs" }, { "vulnerability": "VCID-fqkx-v8t5-q3h6" }, { "vulnerability": "VCID-fsx8-7qjz-2ubw" }, { "vulnerability": "VCID-gxsd-4nd9-gqgn" }, { "vulnerability": "VCID-j8hk-bqnb-gycp" }, { "vulnerability": "VCID-jp1p-rfxa-hyd9" }, { "vulnerability": "VCID-myhc-dyh9-xygg" }, { "vulnerability": "VCID-p3nb-urds-euf3" }, { "vulnerability": "VCID-rzx5-nv6h-qqhg" }, { "vulnerability": "VCID-sdjb-gp4t-vbgt" }, { "vulnerability": "VCID-uq77-aax5-k7d8" }, { "vulnerability": "VCID-uua1-9rt1-dfbz" }, { "vulnerability": "VCID-w94g-xxea-23fb" }, { "vulnerability": "VCID-x3n3-tsjh-8kby" }, { "vulnerability": "VCID-y3zj-acc7-jkau" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/63852?format=api", "purl": "pkg:composer/typo3/cms-core@12.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3hta-35zx-zuc4" }, { "vulnerability": "VCID-5e9k-tfy9-ufcx" }, { "vulnerability": "VCID-6a22-c7x5-sqe2" }, { "vulnerability": "VCID-7r4g-gxc6-hubh" }, { "vulnerability": "VCID-7snt-7hyt-1fbx" }, { "vulnerability": "VCID-9tpm-8udy-c3cd" }, { "vulnerability": "VCID-an3r-c2yp-1bbd" }, { "vulnerability": "VCID-bzqv-s7g3-wff9" }, { "vulnerability": "VCID-etcc-43a3-a7ek" }, { "vulnerability": "VCID-fgkd-jp96-cbcs" }, { "vulnerability": "VCID-gxsd-4nd9-gqgn" }, { "vulnerability": "VCID-myhc-dyh9-xygg" }, { "vulnerability": "VCID-p3nb-urds-euf3" }, { "vulnerability": "VCID-rzx5-nv6h-qqhg" }, { "vulnerability": "VCID-uua1-9rt1-dfbz" }, { "vulnerability": "VCID-w94g-xxea-23fb" }, { "vulnerability": "VCID-x3n3-tsjh-8kby" }, { "vulnerability": "VCID-y3zj-acc7-jkau" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/68933?format=api", "purl": "pkg:composer/typo3/cms-core@13.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3hta-35zx-zuc4" }, { "vulnerability": "VCID-5e9k-tfy9-ufcx" }, { "vulnerability": "VCID-7r4g-gxc6-hubh" }, { "vulnerability": "VCID-7snt-7hyt-1fbx" }, { "vulnerability": "VCID-9tpm-8udy-c3cd" }, { "vulnerability": "VCID-an3r-c2yp-1bbd" }, { "vulnerability": "VCID-c91z-btmf-87dz" }, { "vulnerability": "VCID-etcc-43a3-a7ek" }, { "vulnerability": "VCID-fgkd-jp96-cbcs" }, { "vulnerability": "VCID-myhc-dyh9-xygg" }, { "vulnerability": "VCID-p3nb-urds-euf3" }, { "vulnerability": "VCID-rzx5-nv6h-qqhg" }, { "vulnerability": "VCID-uua1-9rt1-dfbz" }, { "vulnerability": "VCID-uw3m-2f4s-s3fj" }, { "vulnerability": "VCID-w94g-xxea-23fb" }, { "vulnerability": "VCID-x3n3-tsjh-8kby" }, { "vulnerability": "VCID-y3zj-acc7-jkau" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/73383?format=api", "purl": "pkg:composer/typo3/cms-core@14.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9tpm-8udy-c3cd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@14.0.0" } ], "references": [ { "reference_url": "https://github.com/TYPO3/typo3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/TYPO3/typo3" }, { "reference_url": "https://github.com/TYPO3/typo3/commit/3225d705080a1bde57a66689621c947da5a4782f", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/TYPO3/typo3/commit/3225d705080a1bde57a66689621c947da5a4782f" }, { "reference_url": "https://github.com/TYPO3/typo3/commit/722bf71c118b0a8e4f2c2494854437d846799a13", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/TYPO3/typo3/commit/722bf71c118b0a8e4f2c2494854437d846799a13" }, { "reference_url": "https://github.com/TYPO3/typo3/commit/e0f0ceee480c203fbb60b87454f5f193e541d27f", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/TYPO3/typo3/commit/e0f0ceee480c203fbb60b87454f5f193e541d27f" }, { "reference_url": "https://typo3.org/security/advisory/typo3-core-sa-2026-004", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://typo3.org/security/advisory/typo3-core-sa-2026-004" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0859", "reference_id": "CVE-2026-0859", "reference_type": "", "scores": [ { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0859" }, { "reference_url": "https://github.com/advisories/GHSA-7vp9-x248-9vr9", "reference_id": "GHSA-7vp9-x248-9vr9", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-7vp9-x248-9vr9" }, { "reference_url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-7vp9-x248-9vr9", "reference_id": "GHSA-7vp9-x248-9vr9", "reference_type": "", "scores": [ { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-7vp9-x248-9vr9" } ], "weaknesses": [ { "cwe_id": 502, "name": "Deserialization of Untrusted Data", "description": "The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." } ], "exploits": [], "severity_range_score": "4.0 - 6.9", "exploitability": "0.5", "weighted_severity": "6.2", "risk_score": 3.1, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9tpm-8udy-c3cd" }