EXECUTIVE SUMMARY:
A vulnerability has been discovered CVE-2026-1323 in the TYPO3 Mailqueue extension, where improper handling of deserialization in the TransportFailure class allows attackers to process untrusted serialized data. This flaw arises due to insufficient restrictions on allowed classes during deserialization, enabling potential execution of malicious payloads under specific conditions. An attacker with the ability to write to the configured mail spool directory can exploit this weakness to inject crafted serialized objects, leading to unauthorized code execution and possible compromise of system integrity, confidentiality, and availability. The vulnerability poses a significant risk in environments where file write permissions are exposed or misconfigured, making it for organizations to enforce strict access controls and update affected components promptly. The vulnerability has a CVSS score of 5.2.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details: