TYPO3 FileSpool Insecure Deserialization via Extension
CVE-2026-0895 Published on January 20, 2026
Insecure Deserialization in extension "Mailqueue" (mailqueue)
The extension extends TYPO3 FileSpool component, which was vulnerable to Insecure Deserialization prior to TYPO3-CORE-SA-2026-004 https://typo3.org/security/advisory/typo3-core-sa-2026-004 . Since the related fix is overwritten by the extension, using the extension with a patched TYPO3 core version still allows for Insecure Deserialization, because the affected vulnerable code was extracted from TYPO3 core to the extension. More information about this vulnerability can be found in the related TYPO3 Core Security Advisory TYPO3-CORE-SA-2026-004 https://typo3.org/security/advisory/typo3-core-sa-2026-004 .
Weakness Type
What is a Marshaling, Unmarshaling Vulnerability?
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CVE-2026-0895 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.
Affected Versions
TYPO3 Extension "Mailqueue":- Before 0.4.3 is affected.
- Version 0.5.0 and below 0.5.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.