DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-0895: Zombie Code: When Copy-Pasted Vulnerabilities Come Back to Haunt TYPO3

#security #cve #cybersecurity

Zombie Code: When Copy-Pasted Vulnerabilities Come Back to Haunt TYPO3

Vulnerability ID: CVE-2026-0895
CVSS Score: 5.2
Published: 2026-01-21

A classic case of 'copypasta' security debt. The TYPO3 Mailqueue extension duplicated a core component that contained a deserialization flaw. When the core was patched, the extension remained vulnerable, allowing attackers with filesystem access to achieve Remote Code Execution (RCE) via serialized email objects.

TL;DR

The 'Mailqueue' extension for TYPO3 uses an outdated, custom implementation of the system's file spooler. It blindly passes file contents to PHP's unserialize() function. If an attacker can write a file to the spool directory (via a separate vulnerability or low-privileged access), they can trigger RCE when the mailer task runs.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-502 (Insecure Deserialization)
  • CVSS v4.0: 5.2 (Medium)
  • Attack Vector: Local (File Write Required)
  • Exploit Status: PoC Available (via generic chains)
  • Patch: Yes (v0.5.1)
  • EPSS: 0.00017 (Low)

Affected Systems

  • TYPO3 CMS with Mailqueue extension < 0.4.3
  • TYPO3 CMS with Mailqueue extension 0.5.0
  • cpsit/typo3-mailqueue: < 0.4.3 (Fixed in: 0.4.3)
  • cpsit/typo3-mailqueue: 0.5.0 (Fixed in: 0.5.1)

Code Analysis

Commit: fd09aa4

Switch to PolymorphicDeserializer

- unserialize($content);
+ $this->deserializer->deserialize($content);
Enter fullscreen mode Exit fullscreen mode

Commit: 12a0a35

Update composer dependencies for security fix

Require updated TYPO3 core versions
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Theory: Standard PHPGGC gadget chains for TYPO3/Symfony can be used if file write is achieved.

Mitigation Strategies

  • Immediate update of the extension
  • Restrict filesystem permissions on spool directories
  • Audit scheduler logs for anomalies

Remediation Steps:

  1. Run composer update cpsit/typo3-mailqueue to fetch version 0.5.1 or later.
  2. Verify that the underlying TYPO3 core is updated to at least 11.5.49, 12.4.41, or 13.4.23 to support the new deserializer logic.
  3. Check the var/spool or configured mail path for any unrecognizable files and delete them.

References

Read the full report for CVE-2026-0895 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)