{"id":"CVE-2026-49740","summary":"TYPO3 CMS - Insecure Deserialization in Core API","details":"TYPO3's cache frontend (VariableFrontend) and persistent key-value store (Registry) deserialized PHP payloads without integrity validation or class restrictions. An attacker with write access to the underlying storage backend (cache store or sys_registry database table) could inject a crafted serialized payload to trigger PHP Object Injection, potentially exploiting a gadget chain to achieve Remote Code Execution or other high-impact effects. Exploiting this vulnerability requires direct local write access to the storage, such as the SQL database or file system. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.","aliases":["GHSA-c78m-c52x-jgwp"],"modified":"2026-07-08T08:13:41.087916494Z","published":"2026-06-09T10:53:55.777Z","database_specific":{"unresolved_ranges":[{"extracted_events":[{"fixed":"10.4.57"},{"introduced":"11.0.0"},{"fixed":"11.5.51"},{"introduced":"12.0.0"},{"fixed":"12.4.46"}],"source":"AFFECTED_FIELD"}],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49740.json","cwe_ids":["CWE-502"],"cna_assigner":"TYPO3"},"references":[{"type":"WEB","url":"https://packagist.org"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49740.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-49740"},{"type":"ADVISORY","url":"https://typo3.org/security/advisory/typo3-core-sa-2026-018"},{"type":"FIX","url":"https://github.com/TYPO3/typo3/commit/48bcf24f31f52cc0b43d3bea4984634bd2cf85c7"},{"type":"FIX","url":"https://github.com/TYPO3/typo3/commit/87cd7c5b710c44d3606fed277b040a75dc6a9c02"},{"type":"PACKAGE","url":"https://github.com/TYPO3/typo3"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/typo3/typo3","events":[{"introduced":"fd8745e46bb11773e85524b8ee9650dabe340713"},{"introduced":"6d6bd23afff6a48ee3efeaa68eb829820397d6a1"},{"fixed":"59bfeaaf0136dfe17011786ce825884e48bedc8d"},{"fixed":"e16ec78165a7d60f09dcac04bfbb309409e174b3"},{"fixed":"48bcf24f31f52cc0b43d3bea4984634bd2cf85c7"},{"fixed":"87cd7c5b710c44d3606fed277b040a75dc6a9c02"}],"database_specific":{"extracted_events":[{"introduced":"13.0.0"},{"fixed":"13.4.31"},{"introduced":"14.0.0"},{"fixed":"14.3.3"}],"source":["AFFECTED_FIELD","REFERENCES"]}}],"versions":["v14.3.2","v13.4.30","v14.3.1","v13.4.29","v14.3.0","v13.4.28","v14.2.0","v13.4.27","v13.4.26","v14.1.0","v13.4.25","v13.4.24","v13.4.23","v13.4.22","v13.4.21","v14.0.0","v13.4.20","v13.4.19","v13.4.18","v13.4.17","v13.4.16","v13.4.15","v13.4.14","v13.4.13","v13.4.12","v13.4.11","v13.4.10","v13.4.9","v13.4.8","v13.4.7","v13.4.6","v13.4.5","v13.4.4","v13.4.3","v13.4.2","v13.4.1","v13.4.0","v13.3.0","v13.2.1","v13.2.0","v13.1.0","v13.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-49740.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H"}]}