CVE-2026-0859 is a deserialization of untrusted data vulnerability (CWE-502) in the TYPO3 CMS mail spool handling mechanism. TYPO3 CMS versions 10.0.0 through 14.0.1 contain a flaw where local users with write access to the mail spool directory can place maliciously crafted files. These files are deserialized during the execution of the mailer:spool:send command, which processes queued mail messages. Because deserialization occurs without sufficient validation or sanitization, an attacker can inject arbitrary PHP objects or code that execute on the web server with the privileges of the TYPO3 process. This leads to arbitrary code execution, potentially allowing attackers to compromise the web server, access sensitive data, or pivot further into the network. The vulnerability requires local write access to the spool directory and partial authentication, but no user interaction. The CVSS 4.0 vector indicates low attack complexity but requires privileges (PR:L) and partial authentication (AT:P). The scope is high, meaning the vulnerability can affect components beyond the initially vulnerable one. No public exploits have been reported yet, but the flaw poses a serious risk if exploited. TYPO3 is widely used in European public and private sectors, making this vulnerability relevant for organizations relying on this CMS for web content management.

For European organizations, exploitation of CVE-2026-0859 could lead to unauthorized code execution on web servers hosting TYPO3 CMS, compromising confidentiality and integrity of hosted data and potentially enabling further lateral movement within internal networks. This could result in data breaches, defacement of websites, or disruption of services. Given TYPO3's popularity in government, education, and enterprise sectors across Europe, the impact could be significant, especially for organizations that allow multiple users or services write access to the mail spool directory. The vulnerability's requirement for local write access limits remote exploitation but insider threats or compromised accounts could leverage this flaw. The medium CVSS score reflects these factors, but the potential for privilege escalation and persistent compromise elevates the risk for critical infrastructure and sensitive data environments.

To mitigate CVE-2026-0859, organizations should immediately restrict write permissions to the mail spool directory to trusted users and services only, minimizing the risk of malicious file injection. Applying the latest TYPO3 CMS patches or updates as soon as they become available is critical. Until patches are released, consider disabling or restricting the mailer:spool:send command execution or running it in a hardened environment with strict access controls. Implement file integrity monitoring on the spool directory to detect unauthorized file creation or modification. Employ robust authentication and authorization controls to limit local user privileges and monitor for suspicious activity. Additionally, review and harden PHP configurations to limit code execution capabilities and consider using application-level sandboxing or containerization to isolate TYPO3 processes. Regularly audit user access and permissions related to the TYPO3 installation and spool directories.