CVE-2026-1323: The mailqueue TYPO3 extension has Insecure Deserialization in `TransportFailure` class
The extension fails to properly define allowed classes used when deserializing transport failure metadata. An attacker may exploit this to execute untrusted serialized code. Note that an active exploit requires write access to the directory configured at $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_filepath'].
References
- github.com/CPS-IT/mailqueue
- github.com/CPS-IT/mailqueue/commit/0f7a1376bbbd8c7658030d02e51c10a85b1dfdf7
- github.com/CPS-IT/mailqueue/commit/600c7dba99f8eea5f2505b848ee3dd4713440741
- github.com/CPS-IT/mailqueue/security/advisories/GHSA-2pm6-9fhx-vvg3
- github.com/advisories/GHSA-2pm6-9fhx-vvg3
- nvd.nist.gov/vuln/detail/CVE-2026-1323
- typo3.org/security/advisory/typo3-ext-sa-2026-005
Code Behaviors & Features
Detect and mitigate CVE-2026-1323 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →