CVE-2026-49740

Description

### Problem TYPO3's cache frontend (`VariableFrontend`) and persistent key-value store (`Registry`) deserialized PHP payloads without integrity validation or class restrictions. An attacker with write access to the underlying storage backend (cache store or sys_registry database table) could inject a crafted serialized payload to trigger PHP Object Injection, potentially exploiting a gadget chain to achieve Remote Code Execution or other high-impact effects. Exploiting this vulnerability requires direct local write access to the storage, such as the SQL database or file system. ### Solution Update to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, 14.3.3 LTS that fix the problem described. ### Credits TYPO3 CMS thanks “z3rco”, Chowdhury Faizal Ahammed, Rick Larabee, Vitaly Simonovich, Nozomu Sasaki, Mert Akdag, “tikket”, Shafi Almutairi for reporting this issue, and to TYPO3 core & security team member Oliver Hader for fixing it. ### Resources * [TYPO3-CORE-SA-2026-018](https://typo3.org/security/advisory/typo3-core-sa-2026-018)

How to fix CVE-2026-49740

To remediate CVE-2026-49740, upgrade the affected package to a fixed version below.

• —upgrade to 10.4.57 or later

Is CVE-2026-49740 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-49740.

Affected packages (1)

• from 0, < 10.4.57

CVSS scores

References (7)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-49740
• PATCHgithub.com/TYPO3/typo3
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2026-49740.yaml
• WEBgithub.com/TYPO3/typo3/commit/48bcf24f31f52cc0b43d3bea4984634bd2cf85c7