Affected are TYPO3 8.x through 8.7.26, and TYPO3 9.x through 9.5.7. A deserialization of untrusted data leads to a Remote Code Execution vulnerability, which can be combined with a Cross-Site Scripting vulnerability that was also detected in the backend (CVE-2019-12748). The truncated analysis results are available in our RIPS demo application. Please note that we limited the results to the issues described in this post in order to ensure a fix is available.