VulnerableCode Vulnerability Details - VCID-5kf1-bpk8-9bag

Search for vulnerabilities

Vulnerability details: VCID-5kf1-bpk8-9bag

Essentials
Severities (4)
References (4)
Severity details (4)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-5kf1-bpk8-9bag
Aliases	GHSA-8h28-f46f-m87h
Summary	Insecure Deserialization in TYPO3 CMS It has been discovered that the Form Framework (system extension "form") is vulnerable to Insecure Deserialization when being used with the additional PHP PECL package “yaml”, which is capable of unserializing YAML contents to PHP objects. A valid backend user account as well as having PHP setting "yaml.decode_php" enabled is needed to exploit this vulnerability (which is the default value according to PHP documentation).
Status	Published
Exploitability	None
Weighted Severity	None
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-502

Deserialization of Untrusted Data

System	Score	Found at
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-8h28-f46f-m87h
generic_textual	HIGH	https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2018-07-12-4.yaml
generic_textual	HIGH	https://github.com/TYPO3/typo3
generic_textual	HIGH	https://typo3.org/security/advisory/typo3-core-sa-2018-004

Reference id	Reference type	URL
		https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2018-07-12-4.yaml
		https://github.com/TYPO3/typo3
		https://typo3.org/security/advisory/typo3-core-sa-2018-004
GHSA-8h28-f46f-m87h		https://github.com/advisories/GHSA-8h28-f46f-m87h

No exploits are available.

No EPSS data available for this vulnerability.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-01T12:11:11.171915+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-8h28-f46f-m87h/GHSA-8h28-f46f-m87h.json	36.1.3