CVE Catalog

CVE-2026-49740

MediumCVSS 6.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

48th percentile - higher than 48% of all known CVEs

Summary

TYPO3 has an issue with deserializing PHP payloads in the cache frontend and persistent key-value store, which may lead to PHP Object Injection. An attacker with access to the storage backend could exploit this vulnerability for remote code execution.

Risk Assessment

Organizations may face serious threats, including remote code execution, potentially leading to data loss or system takeover. This requires local access to the database or file system.

Recommendation

It is recommended to update TYPO3 to versions 10.4.57, 11.5.51, 12.4.46, 13.4.31, or 14.3.3 to mitigate this vulnerability. Access to the data store should also be restricted to trusted users.

Original NVD description (English source)

TYPO3's cache frontend (VariableFrontend) and persistent key-value store (Registry) deserialized PHP payloads without integrity validation or class restrictions. An attacker with write access to the underlying storage backend (cache store or sys_registry database table) could inject a crafted serialized payload to trigger PHP Object Injection, potentially exploiting a gadget chain to achieve Remote Code Execution or other high-impact effects. Exploiting this vulnerability requires direct local write access to the storage, such as the SQL database or file system. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS