CVE
CVE-2026-1323
The mailqueue TYPO3 extension has Insecure Deserialization in `TransportFailure` class
Description
The extension fails to properly define allowed classes used when deserializing transport failure metadata. An attacker may exploit this to execute untrusted serialized code. Note that an active exploit requires write access to the directory configured at $GLOBALS['TYPO3CONFVARS']['MAIL']['transportspoolfilepath'].
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
5.2
-
4.0
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
C
H
U
-
Related Resources
No items found.
References
https://github.com/CPS-IT/mailqueue/security/advisories/GHSA-2pm6-9fhx-vvg3, https://nvd.nist.gov/vuln/detail/CVE-2026-1323, https://github.com/CPS-IT/mailqueue/commit/0f7a1376bbbd8c7658030d02e51c10a85b1dfdf7, https://github.com/CPS-IT/mailqueue/commit/600c7dba99f8eea5f2505b848ee3dd4713440741, https://github.com/CPS-IT/mailqueue, https://typo3.org/security/advisory/typo3-ext-sa-2026-005
Basic Information
Ecosystem
