CVE-2026-49740 PUBLISHED

TYPO3 CMS - Insecure Deserialization in Core API

Assigner: TYPO3
Reserved: 01.06.2026 Published: 09.06.2026 Updated: 09.06.2026

TYPO3's cache frontend (VariableFrontend) and persistent key-value store (Registry) deserialized PHP payloads without integrity validation or class restrictions. An attacker with write access to the underlying storage backend (cache store or sys_registry database table) could inject a crafted serialized payload to trigger PHP Object Injection, potentially exploiting a gadget chain to achieve Remote Code Execution or other high-impact effects. Exploiting this vulnerability requires direct local write access to the storage, such as the SQL database or file system. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H
CVSS Score: 6.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	None	Confidentiality	High
Attack Complexity	Low	Integrity	Low	Integrity	High
Attack Requirements	None	Availability	None	Availability	High
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	TYPO3
Product	TYPO3 CMS
Versions	Default: unaffected affected from 0 to 10.4.57 (excl.) affected from 11.0.0 to 11.5.51 (excl.) affected from 12.0.0 to 12.4.46 (excl.) affected from 13.0.0 to 13.4.31 (excl.) affected from 14.0.0 to 14.3.3 (excl.)

Credits

z3rco reporter
Chowdhury Faizal Ahammed reporter
Rick Larabee reporter
Vitaly Simonovich reporter
Nozomu Sasaki reporter
Mert Akdag reporter
tikket reporter
Shafi Almutairi reporter
Oliver Hader remediation developer

References

Problem Types

CWE-502 Deserialization of Untrusted Data CWE