← back
CVE-2026-1323

Insecure Deserialization in extension "Mailqueue" (mailqueue)

CVSS 5.2 MEDIUMEPSS 0.2%CWE-502
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.2EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch referenciado
Lifecycle
17 Mar 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The extension fails to properly define allowed classes used when deserializing transport failure metadata. An attacker may exploit this to execute untrusted serialized code. Note that an active exploit requires write access to the directory configured at $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_filepath'].
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H
Affected products
TYPO3 · Extension "Mailqueue"

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://typo3.org/security/advisory/typo3-ext-sa-2026-005