Description
The extension passes an attacker-controlled cookie directly to PHP's unserialize() without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server. Exploitation requires the content element to be configured with "Persistent Mode: Static" in the plugin settings.
Published: 2026-05-19
Score: 9.2 Critical
EPSS: 3.3% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The TYPO3 extension "Content Element Selector" passes a cookie directly to PHP’s unserialize() function without validating or sanitizing the data. This PHP Object Injection flaw permits a remote, unauthenticated attacker to supply a crafted serialized payload that can execute arbitrary code on the TYPO3 server. The vulnerability enables full control over the affected host, potentially allowing attacker‑initiated modifications, data exfiltration, or further network pivots.

Affected Systems

Any TYPO3 deployment that has the "Content Element Selector" extension installed is potentially affected. The advisory does not list a specific version range, so the vulnerability may exist in any released version until a patch is applied. The exploit requires the plugin to be configured with "Persistent Mode: Static" in its settings.

Risk and Exploitability

The CVSS score of 9.2 indicates a critical level of risk, while the EPSS score of 3% shows a moderate likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Because the attacker only needs to send a crafted cookie in an HTTP request, the attack vector is feasible from any network location, making the risk of exploitation significant.

Generated by OpenCVE AI on May 26, 2026 at 15:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the "Content Element Selector" extension to the latest version that contains the PHP unserialize fix.
  • Reconfigure the extension to disable or change the Persistent Mode setting from Static to another value, eliminating the prerequisite for the exploit payload.
  • If the extension is not essential to your site, uninstall it to remove the vulnerability entirely.

Generated by OpenCVE AI on May 26, 2026 at 15:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Typo3
Typo3 extension "content Element Selector"
Vendors & Products Typo3
Typo3 extension "content Element Selector"

Tue, 19 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 19 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description The extension passes an attacker-controlled cookie directly to PHP's unserialize() without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server. Exploitation requires the content element to be configured with "Persistent Mode: Static" in the plugin settings.
Title Remote Code Execution in extension "Content Element Selector" (ceselector)
Weaknesses CWE-502
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Typo3 Extension "content Element Selector"
cve-icon MITRE

Status: PUBLISHED

Assigner: TYPO3

Published:

Updated: 2026-05-19T13:29:29.556Z

Reserved: 2026-05-16T09:55:27.478Z

Link: CVE-2026-46725

cve-icon Vulnrichment

Updated: 2026-05-19T13:28:49.551Z

cve-icon NVD

Status : Deferred

Published: 2026-05-19T10:16:25.457

Modified: 2026-05-19T14:47:13.200

Link: CVE-2026-46725

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T16:00:11Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data