Remote Code Execution (RCE)

cpsit/typo3-mailqueue is vulnerable to Remote Code Execution RCE. The vulnerability is due to improper restriction of allowed classes during deserialization of transport failure metadata, which allows an attacker to execute arbitrary code if they can write to the configured spool directory...

GHSA-2PM6-9FHX-VVG3 The mailqueue TYPO3 extension has Insecure Deserialization in `TransportFailure` class

Description The extension fails to properly define allowed classes used when deserializing transport failure metadata. An attacker may exploit this to execute untrusted serialized code. Note that an active exploit requires write access to the directory configured at...

The mailqueue TYPO3 extension has Insecure Deserialization in `TransportFailure` class

Description The extension fails to properly define allowed classes used when deserializing transport failure metadata. An attacker may exploit this to execute untrusted serialized code. Note that an active exploit requires write access to the directory configured at...

Deserialization of Untrusted Data

Overview cpsit/typo3-mailqueue is a TYPO3 CMS extension to improve TYPO3's mail spooler with additional components. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the deserialization process. An attacker can execute arbitrary code by providing malicious...

CVE-2026-1323

CVE-2026-1323 highlights an insecure deserialization flaw in the TYPO3 mailqueue extension, specifically in the TransportFailure class. An attacker could execute untrusted serialized code, but an active exploit requires write access to the directory configured by $GLOBALS['TYPO3_CONF_VARS']['MAIL...

CVE-2026-1323 Insecure Deserialization in extension "Mailqueue" (mailqueue)

The extension fails to properly define allowed classes used when deserializing transport failure metadata. An attacker may exploit this to execute untrusted serialized code. Note that an active exploit requires write access to the directory configured at...

CVE-2026-1323 Insecure Deserialization in extension "Mailqueue" (mailqueue)

The extension fails to properly define allowed classes used when deserializing transport failure metadata. An attacker may exploit this to execute untrusted serialized code. Note that an active exploit requires write access to the directory configured at...

TYPO3 Mailqueue 安全漏洞

TYPO3 Mailqueue is an extension component developed by Elias Häußler, designed for managing and sending email queues. TYPO3 Mailqueue has a security vulnerability, which stems from the extension’s failure to correctly define the allowed classes used for deserialization when transmitting failed...

mailqueue TYPO3 extension affected by Insecure Deserialization in QueueableFileTransport

Description The extension extends TYPO3’s FileSpool component, which was vulnerable to Insecure Deserialization prior to TYPO3-CORE-SA-2026-004. Since the related fix is overwritten by the extension, using the extension with a patched TYPO3 core version still allows for Insecure Deserialization,...

GHSA-GGFF-9MJ3-7246 mailqueue TYPO3 extension affected by Insecure Deserialization in QueueableFileTransport

Description The extension extends TYPO3’s FileSpool component, which was vulnerable to Insecure Deserialization prior to TYPO3-CORE-SA-2026-004. Since the related fix is overwritten by the extension, using the extension with a patched TYPO3 core version still allows for Insecure Deserialization,...

Deserialization of Untrusted Data

Overview cpsit/typo3-mailqueue is a TYPO3 CMS extension to improve TYPO3's mail spooler with additional components. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the FileSpool component. An attacker can execute arbitrary code by providing crafted...

CVE-2026-0895 Insecure Deserialization in extension "Mailqueue" (mailqueue)

The extension extends TYPO3’ FileSpool component, which was vulnerable to Insecure Deserialization prior to TYPO3-CORE-SA-2026-004 https://typo3.org/security/advisory/typo3-core-sa-2026-004 . Since the related fix is overwritten by the extension, using the extension with a patched TYPO3 core...

CVE-2026-0895

CVE-2026-0895 affects the TYPO3 mailqueue extension. The extension extends TYPO3’s FileSpool component, and the vulnerability is an Insecure Deserialization issue that existed in core TYPO3 prior to TYPO3-CORE-SA-2026-004. The core fix was overwritten by the extension, meaning that even patched T...

CVE-2026-0895 Insecure Deserialization in extension "Mailqueue" (mailqueue)

The extension extends TYPO3’ FileSpool component, which was vulnerable to Insecure Deserialization prior to TYPO3-CORE-SA-2026-004 https://typo3.org/security/advisory/typo3-core-sa-2026-004 . Since the related fix is overwritten by the extension, using the extension with a patched TYPO3 core...

TYPO3 extension mailqueue security vulnerability

TYPO3 extension mailqueue is an email extension developed under the open source of TYPO3. There is a security vulnerability in TYPO3 extension mailqueue, which stems from unsafe deserialization...

SpamTitan Code Injection Vulnerability

SpamTitan is an anti-spam solution from C/o Copperfasten, Ireland. The solution is characterized by easy installation and simple configuration. A code injection vulnerability exists in SpamTitan 7.07. The vulnerability stems from improper validation of the quid parameter in mailqueue.php. The...

SpamTitan Code Injection Vulnerability (CNVD-2020-52877)

SpamTitan is an anti-spam solution from C/o Copperfasten, Ireland. The solution is characterized by easy installation and simple configuration. A code injection vulnerability exists in SpamTitan 7.07. The vulnerability stems from improper validation of the jaction parameter in mailqueue.php. An...

CVE-2020-11804

An issue was discovered in Titan SpamTitan 7.07. Due to improper sanitization of the parameter quid, used in the page mailqueue.php, code injection can occur. The input for this parameter is provided directly by an authenticated user via an HTTP GET request...

CVE-2020-11803

An issue was discovered in Titan SpamTitan 7.07. Improper sanitization of the parameter jaction when interacting with the page mailqueue.php could lead to PHP code evaluation server-side, because the user-provided input is passed directly to the php eval function. The user has to be authenticated...

WatchGuard XCS 'id' OS Injection Vulnerability

WatchGuard XCS is an antivirus and email management security appliance. The WatchGuard XCS WEB interface 'mailqueue.spl' fails to properly handle the 'id' parameter, allowing remote attackers to exploit the vulnerability by submitting a special request to execute arbitrary system commands with...