TYPO3 Deserialization RCE via Transport Spool
CVE-2026-1323 Published on March 17, 2026
Insecure Deserialization in extension "Mailqueue" (mailqueue)
The extension fails to properly define allowed classes used when deserializing transport failure metadata. An attacker may exploit this to execute untrusted serialized code. Note that an active exploit requires write access to the directory configured at $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_filepath'].
Weakness Type
What is a Marshaling, Unmarshaling Vulnerability?
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CVE-2026-1323 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.
Affected Versions
TYPO3 Extension "Mailqueue":- Before 0.4.5 is affected.
- Version 0.5.0 and below 0.5.2 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2026-1323
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| composer | cpsit/typo3-mailqueue | < 0.4.5 | 0.4.5 |
| composer | cpsit/typo3-mailqueue | >= 0.5.0, < 0.5.2 | 0.5.2 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.