CVE-2026-46725
Remote Code Execution in extension "Content Element Selector" (ceselector)
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
The extension passes an attacker-controlled cookie directly to PHP's unserialize() without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server. Exploitation requires the content element to be configured with "Persistent Mode: Static" in the plugin settings.
| CWE | CWE-502 |
| Vendor | typo3 |
| Product | extension "content element selector" |
| Published | May 19, 2026 |
| Last Updated | May 19, 2026 |
Stay Ahead of the Next One
Get instant alerts for typo3 extension "content element selector"
Be the first to know when new unknown vulnerabilities affecting typo3 extension "content element selector" are published β delivered to Slack, Telegram or Discord.
Get Free Alerts β
Free Β· No credit card Β· 60 sec setup
Affected Versions
TYPO3 / Extension "Content Element Selector"
6.0.0 < 6.0.1 5.0.0 < 5.0.1 4.0.0 < 4.0.2 0 < 3.0.3
References
Credits
π Torben Hansen Matthias MΓ€chler