EXECUTIVE SUMMARY:
CVE‑2026‑0895 is a Medium severity vulnerability with a CVSS base score of 5.2 on the CVSS 4.0 scale that affects a TYPO3 extension which overrides the patched FileSpool component, reintroducing an Insecure Deserialization flaw even when the TYPO3 core is updated; this occurs because the vulnerable code was moved out of the core into the extension, allowing attackers to exploit deserialization weaknesses despite core security fixes being applied.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE‑2026‑0895 is a Medium severity vulnerability with a CVSS base score of 5.2 on the CVSS 4.0 scale that affects a TYPO3 extension which overrides the patched FileSpool component, reintroducing an Insecure Deserialization flaw even when the TYPO3 core is updated; this occurs because the vulnerable code was moved out of the core into the extension, allowing attackers to exploit deserialization weaknesses despite core security fixes being applied.[emaillocker id="1283"]
RECOMMENDATION:
We strongly recommend you update TYPO3 to version 0.4.3 or 0.5.1.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-ggff-9mj3-7246