CVE-2026-1323
Last modified
CVE-2026-1323 is a medium-severity vulnerability rated 5.2/10 on the CVSS scale. The extension fails to properly define allowed classes used when deserializing transport failure metadata. An attacker may exploit this to execute untrusted serialized code. EPSS estimates a 0.21% chance of exploitation in the next 30 days.
Description
The extension fails to properly define allowed classes used when deserializing transport failure metadata. An attacker may exploit this to execute untrusted serialized code. Note that an active exploit requires write access to the directory configured at $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_filepath'].
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Cps-It | Mailqueue | < 0.4.5 |
| Cps-It | Mailqueue | >= 0.5.0, < 0.5.2 |
References
- https://typo3.org/security/advisory/typo3-ext-sa-2026-005Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-1323?
How severe is CVE-2026-1323?
How do I fix CVE-2026-1323?
Are you affected by CVE-2026-1323?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST