VulnerableCode Package Details - pkg:composer/typo3/cms-core@13.4.23

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-gyyu-n3b1-zbcj	TYPO3 CMS Allows Insecure Deserialization via Mailer File Spool ### Problem Local platform users who can write to TYPO3’s mail‑file spool directory can craft a file that the system will automatically deserialize without any class restrictions. This flaw allows an attacker to inject and execute arbitrary PHP code in the public scope of the web server. The vulnerability is triggered when TYPO3 is configured with `$GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_type'] = 'file';` and a scheduler task or cron job runs the command `mailer:spool:send`. The spool‑send operation performs the insecure deserialization that is at the core of this issue. ### Solution Update to TYPO3 versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, 14.0.2 that fix the problem described. ### Credits Thanks to Vitaly Simonovich for reporting this issue, and to TYPO3 security team members Elias Häußler and Oliver Hader for fixing it. ### References * [TYPO3-CORE-SA-2026-004](https://typo3.org/security/advisory/typo3-core-sa-2026-004)	CVE-2026-0859 GHSA-7vp9-x248-9vr9

Vulnerability

Summary

Aliases

VCID-gyyu-n3b1-zbcj

TYPO3 CMS Allows Insecure Deserialization via Mailer File Spool ### Problem Local platform users who can write to TYPO3’s mail‑file spool directory can craft a file that the system will automatically deserialize without any class restrictions. This flaw allows an attacker to inject and execute arbitrary PHP code in the public scope of the web server. The vulnerability is triggered when TYPO3 is configured with `$GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_type'] = 'file';` and a scheduler task or cron job runs the command `mailer:spool:send`. The spool‑send operation performs the insecure deserialization that is at the core of this issue. ### Solution Update to TYPO3 versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, 14.0.2 that fix the problem described. ### Credits Thanks to Vitaly Simonovich for reporting this issue, and to TYPO3 security team members Elias Häußler and Oliver Hader for fixing it. ### References * [TYPO3-CORE-SA-2026-004](https://typo3.org/security/advisory/typo3-core-sa-2026-004)

CVE-2026-0859
GHSA-7vp9-x248-9vr9

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T16:07:44.791611+00:00	GHSA Importer	Fixing	VCID-gyyu-n3b1-zbcj	https://github.com/advisories/GHSA-7vp9-x248-9vr9	38.0.0
2026-04-01T12:53:39.329429+00:00	GitLab Importer	Fixing	VCID-gyyu-n3b1-zbcj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/CVE-2026-0859.yml	38.0.0
2026-04-01T12:52:15.209262+00:00	GithubOSV Importer	Fixing	VCID-gyyu-n3b1-zbcj	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-7vp9-x248-9vr9/GHSA-7vp9-x248-9vr9.json	38.0.0