### Key Information **1. Vulnerability Type** ``` [SECURITY] Hardening message deserialization in FileSpool transport ``` **2. Vulnerability Description** - **Issue**: Serialized messages using the delayed `FileSpool` transport allowed queue messages to accept classes other than `SentMessage`. The existing security measures for deserialization were completely ineffective. - **Fix**: After the fix, all explicitly allowed classes are now properly configured for the `unserialize` command. However, in the current implementation, it is difficult to enumerate all permitted classes across various scope-related classes. - **Improvement**: A new `PolymorphicDeserializer` component has been introduced to restrict deserialization by inspecting the serialized payload. **3. Affected Versions** ``` Resolves: #108610 Releases: main, 14.0, 13.4.5, 12.4.6 Change-Id: I32db2d7f0ff46d51d15c76e61296c0ef8ac6e23c Security-Bulletin: TYPO3-CORE-SA-2026-084 Security-References: CVE-2026-0859 ``` **4. Patch Details** - **Commit ID**: `722bf71` - **Committer**: `elishaeusser` - **Commit Time**: `last week` **5. Security Updates** ``` CVE-2026-0859 TYPO3-CORE-SA-2026-084 ``` **6. Modified Files** ``` 6 files changed +358 -20 lines changed ``` The actual code changes are not fully provided, but based on the description, the changes primarily aim to prevent malicious code injection via serialization/deserialization, enhancing security and detection capabilities.