cbcvebase.
CVE-2026-46725
published 2026-05-19

CVE-2026-46725: The extension passes an attacker-controlled cookie directly to PHP's unserialize() without safely processing the input. A remote, unauthenticated attacker can…

PriorityP272critical9.2CVSS 4.0
AVNACLATPPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
2.31%
81.2th percentile
The extension passes an attacker-controlled cookie directly to PHP's unserialize() without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server. Exploitation requires the content element to be configured with "Persistent Mode: Static" in the plugin settings.

Affected

8 ranges
VendorProductVersion rangeFixed in
mmcceselector>= 0 < 3.0.33.0.3
mmcceselector>= 4.0.0 < 4.0.24.0.2
mmcceselector>= 5.0.0 < 5.0.15.0.1
mmcceselector>= 6.0.0 < 6.0.16.0.1
typo3extension_content_element_selector< 3.0.33.0.3
typo3extension_content_element_selector>= 4.0.0 < 4.0.24.0.2
typo3extension_content_element_selector>= 5.0.0 < 5.0.15.0.1
typo3extension_content_element_selector>= 6.0.0 < 6.0.16.0.1

Detection & IOCsextracted from sources · hover to see the quote

cookieT3_ceselector_\d+
bytes
O%3A28%3A%22Monolog%5CHandler%5CGroupHandler%22%3A1%3A%7Bs%3A11%3A%22%00%2A%00handlers%22%3Ba%3A1%3A%7Bi%3A0%3BO%3A29%3A%22Monolog%5CHandler%5CBufferHandler%22%3A6%3A%7Bs%3A10%3A%22%00%2A%00handler%22%3Br%3A3%3Bs%3A13%3A%22%00%2A%00bufferSize%22%3Bi%3A1%3Bs%3A14%3A%22%00%2A%00bufferLimit%22%3Bi%3A0%3Bs%3A9%3A%22%00%2A%00buffer%22%3Ba%3A1%3A%7Bi%3A0%3BO%3A17%3A%22Monolog%5CLogRecord%22%3A2%3A%7Bs%3A5%3A%22level%22%3BE%3A19%3A%22Monolog%5CLevel%3ADebug%22%3Bs%3A5%3A%22mixed%22%3Bs%3A2%3A%22id%22%3B%7D%7Ds%3A14%3A%22%00%2A%00initialized%22%3Bb%3A1%3Bs%3A13%3A%22%00%2A%00processors%22%3Ba%3A3%3A%7Bi%3A0%3Bs%3A15%3A%22get_object_vars%22%3Bi%3A1%3Bs%3A3%3A%22end%22%3Bi%3A2%3Bs%3A6%3A%22system%22%3B%7D%7D%7D%7D
  • Detect exploitation attempts by inspecting HTTP requests for a cookie name matching the pattern T3_ceselector_<digits> containing a URL-encoded PHP serialized object payload (starting with O%3A or O:)
  • The exploit uses a Monolog gadget chain (GroupHandler → BufferHandler → LogRecord) with 'system' as a processor to achieve RCE; detect presence of 'Monolog%5CHandler%5CGroupHandler' or 'Monolog\Handler\GroupHandler' in cookie values on TYPO3 endpoints
  • Successful exploitation produces Unix id command output in the HTTP response body; monitor for responses matching uid=\d+\([a-zA-Z0-9_-]+\)\s+gid=\d+\([a-zA-Z0-9_-]+\) on TYPO3 servers
  • Exploitation is only possible when the ceselector content element is configured with 'Persistent Mode: Static'; focus detection on TYPO3 instances with this plugin configuration
  • Use Shodan query http.component:"TYPO3 CMS" to identify potentially vulnerable internet-facing TYPO3 instances for proactive scanning
  • ·Exploitation requires the vulnerable TYPO3 ceselector content element to be explicitly configured with 'Persistent Mode: Static'; instances without this configuration are not exploitable via this vector
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.