Zombie Code: When Copy-Pasted Vulnerabilities Come Back to Haunt TYPO3
Jan 21, 2026·5 min read·5 visits
Executive Summary (TL;DR)
The 'Mailqueue' extension for TYPO3 uses an outdated, custom implementation of the system's file spooler. It blindly passes file contents to PHP's `unserialize()` function. If an attacker can write a file to the spool directory (via a separate vulnerability or low-privileged access), they can trigger RCE when the mailer task runs.
A classic case of 'copypasta' security debt. The TYPO3 Mailqueue extension duplicated a core component that contained a deserialization flaw. When the core was patched, the extension remained vulnerable, allowing attackers with filesystem access to achieve Remote Code Execution (RCE) via serialized email objects.
Fix Analysis (2)
Technical Appendix
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
cpsit/typo3-mailqueue CPS-IT | < 0.4.3 | 0.4.3 |
cpsit/typo3-mailqueue CPS-IT | 0.5.0 | 0.5.1 |
| Attribute | Detail |
|---|---|
| CWE | CWE-502 (Insecure Deserialization) |
| CVSS v4.0 | 5.2 (Medium) |
| Attack Vector | Local (File Write Required) |
| Exploit Status | PoC Available (via generic chains) |
| Patch | Yes (v0.5.1) |
| EPSS | 0.00017 (Low) |
MITRE ATT&CK Mapping
The application deserializes untrusted data without sufficiently verifying the resulting data will be valid.