CVE-2026-0895
January 20, 2026
The extension extends TYPO3’ FileSpool component, which was vulnerable to Insecure Deserialization prior to TYPO3-CORE-SA-2026-004 https://typo3.org/security/advisory/typo3-core-sa-2026-004 . Since the related fix is overwritten by the extension, using the extension with a patched TYPO3 core version still allows for Insecure Deserialization, because the affected vulnerable code was extracted from TYPO3 core to the extension. More information about this vulnerability can be found in the related TYPO3 Core Security Advisory TYPO3-CORE-SA-2026-004 https://typo3.org/security/advisory/typo3-core-sa-2026-004 .
Affected Packages
https://github.com/CPS-IT/mailqueue.git (GITHUB):
Affected version(s) =0.5.0 <0.5.1Fix Suggestion:
Update to version 0.5.1https://github.com/CPS-IT/mailqueue.git (GITHUB):
Affected version(s) >=0.1.0 <0.4.3Fix Suggestion:
Update to version 0.4.3cpsit/typo3-mailqueue (PHP):
Affected version(s) >=dev-bugfix/enforcing-http-methods <0.4.3Fix Suggestion:
Update to version 0.4.3cpsit/typo3-mailqueue (PHP):
Affected version(s) =0.5.0 <0.5.1Fix Suggestion:
Update to version 0.5.1Related Resources (6)
Do you need more information?
Contact UsCVSS v4
Base Score:
5.2
Attack Vector
LOCAL
Attack Complexity
LOW
Attack Requirements
PRESENT
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
HIGH
Subsequent System Integrity
HIGH
Subsequent System Availability
HIGH
CVSS v3
Base Score:
3.8
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality
NONE
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Deserialization of Untrusted Data
EPSS
Base Score:
0.02
