DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-0859: CamelCase Catastrophe: How a Typo in TYPO3 Enabled RCE

#security #cve #cybersecurity

CamelCase Catastrophe: How a Typo in TYPO3 Enabled RCE

Vulnerability ID: CVE-2026-0859
CVSS Score: 5.2
Published: 2026-01-13

A critical insecure deserialization vulnerability in TYPO3 CMS caused by a typographical error in the unserialize() options. A local attacker can escalate privileges to RCE by planting malicious serialized objects in the mail spool.

TL;DR

The TYPO3 developers attempted to secure the mail spooler by whitelisting allowed classes during deserialization. However, they used the configuration key 'allowedClasses' (camelCase) instead of the required 'allowed_classes' (snake_case). PHP silently ignored the invalid key, disabling the whitelist entirely. This allows an attacker with write access to the spool directory to execute arbitrary code via gadget chains.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-502
  • Attack Vector: Local (File Write)
  • CVSS: 5.2 (Medium)
  • Impact: Remote Code Execution (RCE)
  • Configuration: transport_spool_type = file
  • Exploit Status: PoC Available

Affected Systems

  • TYPO3 CMS 14.0.0 - 14.0.1
  • TYPO3 CMS 13.0.0 - 13.4.22
  • TYPO3 CMS 12.0.0 - 12.4.40
  • TYPO3 CMS 11.0.0 - 11.5.48
  • TYPO3 CMS 10.0.0 - 10.4.54
  • TYPO3 CMS v14: 14.0.0 - 14.0.1 (Fixed in: 14.0.2)
  • TYPO3 CMS v13: 13.0.0 - 13.4.22 (Fixed in: 13.4.23)
  • TYPO3 CMS v12: 12.0.0 - 12.4.40 (Fixed in: 12.4.41)

Code Analysis

Commit: 3225d70

Fix insecure deserialization in FileSpool (Main)

- 'allowedClasses' => [...]
+ 'allowed_classes' => [...]
Enter fullscreen mode Exit fullscreen mode

Commit: e0f0cee

Fix insecure deserialization in FileSpool (v13)

Backport of PolymorphicDeserializer fix
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Hypothetical: Standard PHPGGC chains for Symfony/Guzzle likely applicable.

Mitigation Strategies

  • Upgrade TYPO3 CMS to the latest patch level.
  • Switch mail transport from 'file' spool to direct SMTP/Sendmail.
  • Restrict filesystem permissions on the 'var/spool' directory.

Remediation Steps:

  1. Check LocalConfiguration.php for $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_type'] = 'file'.
  2. If set to 'file', update TYPO3 immediately using composer update typo3/cms-core.
  3. Verify the update by checking typo3/sysext/core/Classes/Mail/FileSpool.php for the presence of allowed_classes (snake_case).

References

Read the full report for CVE-2026-0859 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)