CVE-2026-1323 is a vulnerability classified under CWE-502 (Deserialization of Untrusted Data) found in the TYPO3 CMS extension "Mailqueue". The issue stems from the extension's failure to properly define a whitelist of allowed classes during the deserialization process of transport failure metadata. Deserialization is the process of converting serialized data back into objects; if untrusted data is deserialized without strict controls, it can lead to arbitrary code execution. In this case, an attacker who can write to the directory configured at $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_filepath'] can place crafted serialized payloads that, when deserialized by the extension, execute malicious code. The vulnerability affects versions 0 through 0.5.0 of the Mailqueue extension. The CVSS 4.0 vector indicates a local attack vector (AV:L), low attack complexity (AC:L), partial privileges required (PR:L), no user interaction (UI:N), and partial impact on integrity and availability, with high scope and security requirements. No public exploits are known, and no patches have been linked yet. This vulnerability highlights the risks of insecure deserialization in web applications, especially when combined with improper file system permissions.

If exploited, this vulnerability could allow an attacker with write access to the specified spool directory to execute arbitrary code within the context of the TYPO3 application. This can lead to unauthorized modification or deletion of data, disruption of mail queue processing, and potential further compromise of the hosting server. The impact on confidentiality, integrity, and availability is moderate given the requirement for local write access and partial privileges. However, in environments where the spool directory is writable by untrusted users or processes, the risk escalates significantly. Organizations relying on TYPO3 with the Mailqueue extension may face service disruptions, data integrity issues, and potential lateral movement within their networks if exploited. The absence of known exploits reduces immediate risk, but the vulnerability remains a concern for targeted attacks or insider threats.

To mitigate this vulnerability, organizations should first ensure that the directory configured at $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_filepath'] has strict write permissions, limiting access only to trusted system users and processes. Administrators should audit file system permissions to prevent unauthorized write access. Until a patch is available, consider disabling or removing the Mailqueue extension if it is not critical to operations. Implement application-level monitoring and logging to detect unusual file writes or deserialization activities in the spool directory. Additionally, review and harden TYPO3 configuration settings related to mail transport and serialization. When patches or updates addressing this vulnerability are released, apply them promptly. Employ defense-in-depth strategies such as web application firewalls (WAFs) to detect and block suspicious payloads targeting deserialization flaws. Finally, educate developers and administrators about secure deserialization practices and the risks of untrusted data processing.