Component Type: TYPO3 CMSSubcomponent: Mailer (ext:core)Release Date: January 13, 2026Vulnerability Type: Insecure DeserializationAffected Versions: 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22, 14.0.0-14.0.1Severity: MediumSuggested CVSS: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:HReferences: CVE-2026-0859, CWE-502 Problem Description Local platform users who can write to TYPO3’s mail‑file spool directory can craft a file that the system will automatically deserialize without any class restrictions. This flaw allows an attacker to inject and execute arbitrary PHP code in the public scope of the web server. The vulnerability is triggered when TYPO3 is configured with $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_type'] = 'file'; and a scheduler task or cron job runs the command mailer:spool:send. The spool‑send operation performs the insecure deserialization that is at the core of this issue. Solution Update to TYPO3 versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, 14.0.2 that fix the problem described. Credits Thanks to Vitaly Simonovich for reporting this issue, and to TYPO3 security team members Elias Häußler and Oliver Hader for fixing it. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security-related code changes are tagged so you can easily look them up in our review system.