CVE-2026-46725
PHP Object Injection in TYPO3 Static Content Plugin
Publication date: 2026-05-19
Last updated on: 2026-05-19
Assigner: TYPO3
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| typo3 | content_element_selector | to 6.0.1 (exc) |
| typo3 | content_element_selector | to 5.0.1 (exc) |
| typo3 | content_element_selector | From 4.0.0 (inc) to 4.0.1 (inc) |
| typo3 | content_element_selector | to 3.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the TYPO3 extension "Content Element Selector" (ceselector) where an attacker-controlled cookie is passed directly to PHP's unserialize() function without proper validation or sanitization.
This allows a remote, unauthenticated attacker to send a specially crafted serialized payload that triggers PHP Object Injection, which can lead to Remote Code Execution on the TYPO3 server.
Exploitation requires the content element to be configured with "Persistent Mode: Static" in the plugin settings.
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows an unauthenticated remote attacker to execute arbitrary code on the TYPO3 server.
Successful exploitation could lead to full compromise of the server, including unauthorized access to data, modification or deletion of content, and potential use of the server for further attacks.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, you should update the 'Content Element Selector' extension for TYPO3 to the fixed versions: 6.0.1, 5.0.1, 4.0.2, or 3.0.3.
Additionally, ensure that the content element is not configured with 'Persistent Mode: Static' in the plugin settings, as exploitation requires this configuration.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows remote code execution on the TYPO3 server through insecure deserialization, which can lead to unauthorized access and control over the system.
Such unauthorized access and potential data breaches can compromise the confidentiality, integrity, and availability of sensitive data, thereby negatively impacting compliance with common standards and regulations like GDPR and HIPAA.
Organizations using the affected TYPO3 extension should update to patched versions immediately to mitigate the risk and maintain compliance with these regulations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for HTTP requests that include suspicious or crafted serialized payloads within cookies targeting the TYPO3 Content Element Selector extension. Since the exploit involves sending a specially crafted serialized PHP object via a cookie, inspecting incoming cookies for unusual serialized data patterns may help identify attempts to exploit this issue.
A practical approach is to capture and analyze HTTP traffic to the TYPO3 server, focusing on cookies sent in requests to the vulnerable extension. Tools like tcpdump, Wireshark, or web server logs can be used for this purpose.
- Use tcpdump to capture HTTP traffic on port 80 or 443: tcpdump -i eth0 -A 'tcp port 80 or tcp port 443'
- Filter web server logs for requests containing cookies with suspicious serialized PHP data (e.g., strings starting with 'O:', 'a:', or 's:').
- Use grep or similar tools to search logs for serialized payload patterns: grep -i 'O:[0-9]:' /var/log/apache2/access.log
Additionally, checking the TYPO3 plugin settings to verify if the content element is configured with "Persistent Mode: Static" can help assess exposure to this vulnerability.