CVE-2026-1323

Medium CVSS: 5.2

The extension fails to properly define allowed classes used when deserializing transport failure metadata. An attacker may exploit this to execute untrusted serialized code. Note that an active exploit requires write access to the directory configured at $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_filepath'].

Vendor

Product

CWE

CWE-502

Yayın Tarihi

2026-03-17 09:16:13

Güncelleme

2026-03-17 14:20:01

Source Identifier

f4fb688c-4412-4426-b4b8-421ecf27b14a

KEV Date Added

Kategoriler

CWE-502 MEDIUM 2026

Referanslar

https://typo3.org/security/advisory/typo3-ext-sa-2026-005