PHP Object Injection Vulnerability in TYPO3 Extension by TYPO3
CVE-2026-46725

9.2CRITICAL

Key Information:

Vendor: Typo3
Status: Extension "content Element Selector"
Vendor: CVE Published:; 19 May 2026

What is CVE-2026-46725?

A vulnerability in the TYPO3 extension allows attackers to exploit PHP's unserialize() function by passing a crafted cookie without proper validation. This flaw opens the door for remote, unauthenticated attackers to initiate PHP Object Injection, potentially leading to unauthorized remote code execution on the TYPO3 server. Exploitation of this vulnerability necessitates that the content element is set to 'Persistent Mode: Static' within the plugin configuration.

Affected Version(s)

Extension "Content Element Selector" 6.0.0 < 6.0.1

Extension "Content Element Selector" 5.0.0 < 5.0.1

Extension "Content Element Selector" 4.0.0 < 4.0.2

References

https://typo3.org/security/advisory/typo3-ext-sa-2026-013

vendor-advisory

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2026
Vulnerability Reserved
May 16, 2026

Credit

Torben Hansen

Matthias Mächler

CVE-2026-46725 Data

JSON

Typo3

What is CVE-2026-46725?

Affected Version(s)

References

CVSS V4

Timeline

Credit