CVE-2026-49740

UNKNOWN 0.0

TYPO3 CMS - Insecure Deserialization in Core API

CVSS Score

0.0

EPSS Score

0.2%

EPSS Percentile

48th

TYPO3's cache frontend (VariableFrontend) and persistent key-value store (Registry) deserialized PHP payloads without integrity validation or class restrictions. An attacker with write access to the underlying storage backend (cache store or sys_registry database table) could inject a crafted serialized payload to trigger PHP Object Injection, potentially exploiting a gadget chain to achieve Remote Code Execution or other high-impact effects. Exploiting this vulnerability requires direct local write access to the storage, such as the SQL database or file system. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.

CWE	CWE-502
Vendor	typo3
Product	typo3 cms
Published	Jun 9, 2026
Last Updated	Jun 9, 2026

Stay Ahead of the Next One

Get instant alerts for typo3 typo3 cms

Be the first to know when new unknown vulnerabilities affecting typo3 typo3 cms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

TYPO3 / TYPO3 CMS

0 < 10.4.57 11.0.0 < 11.5.51 12.0.0 < 12.4.46 13.0.0 < 13.4.31 14.0.0 < 14.3.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

typo3.org: https://typo3.org/security/advisory/typo3-core-sa-2026-018 github.com: https://github.com/TYPO3/typo3/commit/48bcf24f31f52cc0b43d3bea4984634bd2cf85c7 github.com: https://github.com/TYPO3/typo3/commit/87cd7c5b710c44d3606fed277b040a75dc6a9c02

Credits

🔍 z3rco 🔍 Chowdhury Faizal Ahammed 🔍 Rick Larabee 🔍 Vitaly Simonovich 🔍 Nozomu Sasaki 🔍 Mert Akdag 🔍 tikket 🔍 Shafi Almutairi Oliver Hader