Description
The extension passes an attacker-controlled cookie directly to PHP's unserialize() without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server. Exploitation requires the content element to be configured with "Persistent Mode: Static" in the plugin settings.
Published: 2026-05-19
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The TYPO3 extension "Content Element Selector" directly passes an attacker‑controlled cookie to PHP’s unserialize() function without input sanitization. This PHP Object Injection flaw allows a remote, unauthenticated attacker to supply a crafted serialized payload that obtains arbitrary code execution on the TYPO3 server. The impact is thus full control over the affected host, with potential to modify, delete, or exfiltrate data, install malware, or pivot within the network.

Affected Systems

Any TYPO3 deployment that has the "Content Element Selector" extension installed is vulnerable. No specific version range is provided in the advisory, so all released versions are at risk until patched. The vulnerability is triggered only when the plugin is configured with Persistent Mode set to Static.

Risk and Exploitability

The CVSS score of 9.2 classifies this as a critical vulnerability, while the EPSS score is not available and the issue is not listed in CISA’s KEV catalog. Exploitation requires the Persistent Mode: Static setting, but an attacker can achieve this by simply delivering a crafted cookie in an HTTP request, which is feasible from any network location. Given the high severity and remote unauthenticated nature, the risk of exploitation is significant.

Generated by OpenCVE AI on May 19, 2026 at 11:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the "Content Element Selector" extension to the latest release that includes the PHP unserialize fix.
  • Reconfigure the extension to disable or change the Persistent Mode setting from Static to Dynamic or Off, removing the prerequisite for the exploit payload.
  • If the extension is not essential to your site, uninstall it to eliminate the vulnerability entirely.

Generated by OpenCVE AI on May 19, 2026 at 11:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Typo3
Typo3 extension "content Element Selector"
Vendors & Products Typo3
Typo3 extension "content Element Selector"

Tue, 19 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 19 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description The extension passes an attacker-controlled cookie directly to PHP's unserialize() without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server. Exploitation requires the content element to be configured with "Persistent Mode: Static" in the plugin settings.
Title Remote Code Execution in extension "Content Element Selector" (ceselector)
Weaknesses CWE-502
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Typo3 Extension "content Element Selector"
cve-icon MITRE

Status: PUBLISHED

Assigner: TYPO3

Published:

Updated: 2026-05-19T13:29:29.556Z

Reserved: 2026-05-16T09:55:27.478Z

Link: CVE-2026-46725

cve-icon Vulnrichment

Updated: 2026-05-19T13:28:49.551Z

cve-icon NVD

Status : Deferred

Published: 2026-05-19T10:16:25.457

Modified: 2026-05-19T14:47:13.200

Link: CVE-2026-46725

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:39:32Z

Weaknesses