Back to search
CVE-2026-46725
Published: May 19, 2026
Modified: May 19, 2026
PUBLISHED
Description
The extension passes an attacker-controlled cookie directly to PHP's unserialize() without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server. Exploitation requires the content element to be configured with "Persistent Mode: Static" in the plugin settings.
| Vendor | Product | Versions |
|---|---|---|
TYPO3 | Extension "Content Element Selector" | affected 6.0.0 - < 6.0.1affected 5.0.0 - < 5.0.1affected 4.0.0 - < 4.0.2affected 0 - < 3.0.3 |
Weaknesses (CWE)
References
https://typo3.org/security/advisory/typo3-ext-sa-2026-013
vendor-advisory
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now