PatchSiren cyber security CVE debrief

CVE-2026-49740 TYPO3 CVE debrief

CVE-2026-49740 is a PHP Object Injection vulnerability in TYPO3's cache frontend (VariableFrontend) and persistent key-value store (Registry). The vulnerability allows an attacker with write access to the underlying storage backend (cache store or sys_registry database table) to inject a crafted serialized payload, potentially triggering PHP Object Injection. This could be exploited to achieve Remote Code Execution or other high-impact effects. However, exploiting this vulnerability requires direct local write access to the storage, such as the SQL database or file system. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31, and 14.0.0-14.3.3.

Vendor: TYPO3
Product: TYPO3 CMS
CVSS: MEDIUM 6.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-09
Original CVE updated: 2026-06-09
Advisory published: 2026-06-09
Advisory updated: 2026-06-09

Who should care

Users of TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31, and 14.0.0-14.3.3 should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The vulnerability is caused by the deserialization of PHP payloads without integrity validation or class restrictions in TYPO3's cache frontend and persistent key-value store. An attacker with write access to the underlying storage backend could inject a crafted serialized payload to trigger PHP Object Injection.

Defensive priority

MEDIUM

Recommended defensive actions

Update to a patched version of TYPO3 CMS (10.4.57, 11.5.51, 12.4.46, 13.4.31, or 14.3.3 or later)
Restrict write access to the underlying storage backend (cache store or sys_registry database table)
Monitor the storage backend for suspicious activity

Evidence notes

The CVE-2026-49740 vulnerability was published on [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-49740) and details can be found on [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-49740). Additional information is available at [ref-4](https://github.com/TYPO3/typo3/commit/48bcf24f31f52cc0b43d3bea4984634bd2cf85c7), [ref-5](https://github.com/TYPO3/typo3/commit/87cd7c5b710c44d3606fed277b040a75dc6a9c02), and [ref-6](https://typo3.org/security/advisory/typo3-core-sa-2026-018).

Official resources

CVE-2026-49740 CVE record
CVE.org
CVE-2026-49740 NVD detail
NVD
Source item URL
nvd_modified
Source reference
f4fb688c-4412-4426-b4b8-421ecf27b14a
Source reference
f4fb688c-4412-4426-b4b8-421ecf27b14a
Source reference
f4fb688c-4412-4426-b4b8-421ecf27b14a

CVE-2026-49740 was published on 2026-06-09T11:16:53.380Z and modified on 2026-06-09T13:46:50.540Z.