GHSA-c78m-c52x-jgwpMedium

TYPO3 CMS has Insecure Deserialization via Core API

Published
June 12, 2026
Last Modified
June 12, 2026

🔗 CVE IDs covered (1)

📋 Description

Problem

TYPO3's cache frontend (VariableFrontend) and persistent key-value store (Registry) deserialized PHP payloads without integrity validation or class restrictions. An attacker with write access to the underlying storage backend (cache store or sys_registry database table) could inject a crafted serialized payload to trigger PHP Object Injection, potentially exploiting a gadget chain to achieve Remote Code Execution or other high-impact effects.

Exploiting this vulnerability requires direct local write access to the storage, such as the SQL database or file system.

Solution

Update to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, 14.3.3 LTS that fix the problem described.

Credits

TYPO3 CMS thanks “z3rco”, Chowdhury Faizal Ahammed, Rick Larabee, Vitaly Simonovich, Nozomu Sasaki, Mert Akdag, “tikket”, Shafi Almutairi for reporting this issue, and to TYPO3 core & security team member Oliver Hader for fixing it.

Resources

🎯 Affected products5

  • composer/typo3/cms-core:< 10.4.57
  • composer/typo3/cms-core:>= 11.0.0, < 11.5.51
  • composer/typo3/cms-core:>= 12.0.0, < 12.4.46
  • composer/typo3/cms-core:>= 13.0.0, < 13.4.31
  • composer/typo3/cms-core:>= 14.0.0, < 14.3.3

🔗 References (7)