Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-49740
PUBLISHED
More InfoOfficial Page
Assigner-TYPO3
Assigner Org ID-f4fb688c-4412-4426-b4b8-421ecf27b14a
View Known Exploited Vulnerability (KEV) details
Published At-09 Jun, 2026 | 10:53
Updated At-09 Jun, 2026 | 13:40
Rejected At-
▼CVE Numbering Authority (CNA)
TYPO3 CMS - Insecure Deserialization in Core API

TYPO3's cache frontend (VariableFrontend) and persistent key-value store (Registry) deserialized PHP payloads without integrity validation or class restrictions. An attacker with write access to the underlying storage backend (cache store or sys_registry database table) could inject a crafted serialized payload to trigger PHP Object Injection, potentially exploiting a gadget chain to achieve Remote Code Execution or other high-impact effects. Exploiting this vulnerability requires direct local write access to the storage, such as the SQL database or file system. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.

Affected Products
Vendor
TYPO3 AssociationTYPO3
Product
TYPO3 CMS
Collection URL
https://packagist.org
Package Name
typo3/cms-core
Repo
https://github.com/TYPO3/typo3
Modules
  • Core
Default Status
unaffected
Versions
Affected
  • From 0 before 10.4.57 (semver)
  • From 11.0.0 before 11.5.51 (semver)
  • From 12.0.0 before 12.4.46 (semver)
  • From 13.0.0 before 13.4.31 (semver)
  • From 14.0.0 before 14.3.3 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-502CWE-502 Deserialization of Untrusted Data
Type: CWE
CWE ID: CWE-502
Description: CWE-502 Deserialization of Untrusted Data
Metrics
VersionBase scoreBase severityVector
4.06.3MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H
Version: 4.0
Base score: 6.3
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
reporter
z3rco
reporter
Chowdhury Faizal Ahammed
reporter
Rick Larabee
reporter
Vitaly Simonovich
reporter
Nozomu Sasaki
reporter
Mert Akdag
reporter
tikket
reporter
Shafi Almutairi
remediation developer
Oliver Hader
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://typo3.org/security/advisory/typo3-core-sa-2026-018
vendor-advisory
https://github.com/TYPO3/typo3/commit/48bcf24f31f52cc0b43d3bea4984634bd2cf85c7
patch
https://github.com/TYPO3/typo3/commit/87cd7c5b710c44d3606fed277b040a75dc6a9c02
patch
Hyperlink: https://typo3.org/security/advisory/typo3-core-sa-2026-018
Resource:
vendor-advisory
Hyperlink: https://github.com/TYPO3/typo3/commit/48bcf24f31f52cc0b43d3bea4984634bd2cf85c7
Resource:
patch
Hyperlink: https://github.com/TYPO3/typo3/commit/87cd7c5b710c44d3606fed277b040a75dc6a9c02
Resource:
patch
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found