CVE-2026-46725

Vulnerability

The extension "Content Element Selector" (ceselector) for TYPO3 fails to sanitize an attacker-controlled cookie before passing it to PHP's unserialize() function, resulting in an insecure deserialization vulnerability. Affected versions are 6.0.0, 5.0.0, 4.0.0–4.0.1, 3.0.2 and below. Exploitation requires the content element to be configured with "Persistent Mode: Static" in the plugin settings [1].

Exploitation

An unauthenticated remote attacker can craft a malicious serialized payload and deliver it via a cookie. The vulnerability is triggered when the cookie is processed by the extension under the specific configuration mentioned above. No authentication or prior access is needed [1].

Impact

Successful exploitation allows the attacker to execute arbitrary PHP code on the TYPO3 server, leading to full compromise of confidentiality, integrity, and availability of the application and its data [1].

Mitigation

Fixed versions have been released: 6.0.1, 5.0.1, 4.0.2, and 3.0.3, all dated May 19, 2026. Users should update the extension immediately via the TYPO3 extension manager or from the provided download links. No workaround is available [1].