VulnerableCode Package Details - pkg:composer/typo3/cms-core@13.4.18

Search for packages

Vulnerability	Summary	Fixed by
VCID-gyyu-n3b1-zbcj Aliases: CVE-2026-0859 GHSA-7vp9-x248-9vr9	TYPO3 CMS Allows Insecure Deserialization via Mailer File Spool ### Problem Local platform users who can write to TYPO3’s mail‑file spool directory can craft a file that the system will automatically deserialize without any class restrictions. This flaw allows an attacker to inject and execute arbitrary PHP code in the public scope of the web server. The vulnerability is triggered when TYPO3 is configured with `$GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_type'] = 'file';` and a scheduler task or cron job runs the command `mailer:spool:send`. The spool‑send operation performs the insecure deserialization that is at the core of this issue. ### Solution Update to TYPO3 versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, 14.0.2 that fix the problem described. ### Credits Thanks to Vitaly Simonovich for reporting this issue, and to TYPO3 security team members Elias Häußler and Oliver Hader for fixing it. ### References * [TYPO3-CORE-SA-2026-004](https://typo3.org/security/advisory/typo3-core-sa-2026-004)	13.4.23 Affected by 0 other vulnerabilities. 14.0.2 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-gyyu-n3b1-zbcj
Aliases:
CVE-2026-0859
GHSA-7vp9-x248-9vr9

TYPO3 CMS Allows Insecure Deserialization via Mailer File Spool ### Problem Local platform users who can write to TYPO3’s mail‑file spool directory can craft a file that the system will automatically deserialize without any class restrictions. This flaw allows an attacker to inject and execute arbitrary PHP code in the public scope of the web server. The vulnerability is triggered when TYPO3 is configured with `$GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_type'] = 'file';` and a scheduler task or cron job runs the command `mailer:spool:send`. The spool‑send operation performs the insecure deserialization that is at the core of this issue. ### Solution Update to TYPO3 versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, 14.0.2 that fix the problem described. ### Credits Thanks to Vitaly Simonovich for reporting this issue, and to TYPO3 security team members Elias Häußler and Oliver Hader for fixing it. ### References * [TYPO3-CORE-SA-2026-004](https://typo3.org/security/advisory/typo3-core-sa-2026-004)

13.4.23
Affected by 0 other vulnerabilities.

14.0.2
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-jxw7-skw6-q7bg	TYPO3 CMS uses insufficient entropy when generating passwords A deterministic three‑character prefix in the Password Generation component of TYPO3 CMS versions 12.0.0–12.4.36 and 13.0.0–13.4.17 reduces entropy, allowing attackers to carry out brute‑force attacks more quickly.	CVE-2025-59015 GHSA-p5jq-5383-qvc7
VCID-qeus-f4wj-rubr	TYPO3 CMS exposes sensitive information in an error message Error messages containing sensitive information in the File Abstraction Layer in TYPO3 CMS versions 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, and 13.0.0-13.4.17 allow backend users to disclose full file paths via failed low-level file-system operations.	CVE-2025-59016 GHSA-cvm2-5f78-g9m8
VCID-qzyk-7877-27a3	TYPO3 CMS has an open‑redirect vulnerability An open‑redirect vulnerability in GeneralUtility::sanitizeLocalUrl of TYPO3 CMS 9.0.0–9.5.54, 10.0.0–10.4.53, 11.0.0–11.5.47, 12.0.0–12.4.36, and 13.0.0–13.4.17 allows an attacker to redirect users to arbitrary external sites, enabling phishing attacks by supplying a manipulated, sanitized URL.	CVE-2025-59013 GHSA-72jf-5fg5-3cw3

Vulnerability

Summary

Aliases

VCID-jxw7-skw6-q7bg

TYPO3 CMS uses insufficient entropy when generating passwords A deterministic three‑character prefix in the Password Generation component of TYPO3 CMS versions 12.0.0–12.4.36 and 13.0.0–13.4.17 reduces entropy, allowing attackers to carry out brute‑force attacks more quickly.

CVE-2025-59015
GHSA-p5jq-5383-qvc7

VCID-qeus-f4wj-rubr

TYPO3 CMS exposes sensitive information in an error message Error messages containing sensitive information in the File Abstraction Layer in TYPO3 CMS versions 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, and 13.0.0-13.4.17 allow backend users to disclose full file paths via failed low-level file-system operations.

CVE-2025-59016
GHSA-cvm2-5f78-g9m8

VCID-qzyk-7877-27a3

TYPO3 CMS has an open‑redirect vulnerability An open‑redirect vulnerability in GeneralUtility::sanitizeLocalUrl of TYPO3 CMS 9.0.0–9.5.54, 10.0.0–10.4.53, 11.0.0–11.5.47, 12.0.0–12.4.36, and 13.0.0–13.4.17 allows an attacker to redirect users to arbitrary external sites, enabling phishing attacks by supplying a manipulated, sanitized URL.

CVE-2025-59013
GHSA-72jf-5fg5-3cw3

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-17T00:09:21.899243+00:00	GitLab Importer	Affected by	VCID-gyyu-n3b1-zbcj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/CVE-2026-0859.yml	38.4.0
2026-04-12T01:32:59.316762+00:00	GitLab Importer	Affected by	VCID-gyyu-n3b1-zbcj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/CVE-2026-0859.yml	38.3.0
2026-04-07T04:58:43.831669+00:00	GHSA Importer	Fixing	VCID-qeus-f4wj-rubr	https://github.com/advisories/GHSA-cvm2-5f78-g9m8	38.1.0
2026-04-07T04:58:43.670739+00:00	GHSA Importer	Fixing	VCID-qzyk-7877-27a3	https://github.com/advisories/GHSA-72jf-5fg5-3cw3	38.1.0
2026-04-07T04:58:43.494224+00:00	GHSA Importer	Fixing	VCID-jxw7-skw6-q7bg	https://github.com/advisories/GHSA-p5jq-5383-qvc7	38.1.0
2026-04-03T01:41:56.151107+00:00	GitLab Importer	Affected by	VCID-gyyu-n3b1-zbcj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/CVE-2026-0859.yml	38.1.0
2026-04-02T12:42:11.136717+00:00	GitLab Importer	Fixing	VCID-jxw7-skw6-q7bg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/CVE-2025-59015.yml	38.0.0
2026-04-01T12:55:12.074247+00:00	GithubOSV Importer	Fixing	VCID-qeus-f4wj-rubr	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-cvm2-5f78-g9m8/GHSA-cvm2-5f78-g9m8.json	38.0.0
2026-04-01T12:55:10.540133+00:00	GithubOSV Importer	Fixing	VCID-jxw7-skw6-q7bg	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-p5jq-5383-qvc7/GHSA-p5jq-5383-qvc7.json	38.0.0
2026-04-01T12:55:03.287438+00:00	GithubOSV Importer	Fixing	VCID-qzyk-7877-27a3	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-72jf-5fg5-3cw3/GHSA-72jf-5fg5-3cw3.json	38.0.0