EXECUTIVE SUMMARY:
CVE-2026-46725 with a CVSS score of 9.2 is a critical remote code execution (RCE) vulnerability affecting a popular third-party extension named "Content Element Selector" in the TYPO3 project, specifically impacting versions 6.0.0, 5.0.0, 4.0.0 through 4.0.1, and 3.0.2 and all previous iterations. The vulnerability stems from an insecure deserialization issue (CWE-502) where the extension fails to properly handle untrusted client information, feeding it directly into PHP's high-risk unserialize() function. An attacker can exploit this flaw by constructing a malicious serialized payload within their browser cookie, which, when processed by the server, triggers arbitrary code execution on the underlying TYPO3 server. This capability allows an attacker to hijack vulnerable web servers completely unauthenticated, granting them access to sensitive data and enabling them to disrupt business operations. The business impact and consequences of exploitation are severe, as it can lead to data breaches, financial losses, and reputational damage. Notably, exploitation is conditional on specific plugin configurations, requiring the targeted content element to be explicitly configured with "Persistent Mode: Static" within the plugin options.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-46725 with a CVSS score of 9.2 is a critical remote code execution (RCE) vulnerability affecting a popular third-party extension named "Content Element Selector" in the TYPO3 project, specifically impacting versions 6.0.0, 5.0.0, 4.0.0 through 4.0.1, and 3.0.2 and all previous iterations. The vulnerability stems from an insecure deserialization issue (CWE-502) where the extension fails to properly handle untrusted client information, feeding it directly into PHP's high-risk unserialize() function. An attacker can exploit this flaw by constructing a malicious serialized payload within their browser cookie, which, when processed by the server, triggers arbitrary code execution on the underlying TYPO3 server. This capability allows an attacker to hijack vulnerable web servers completely unauthenticated, granting them access to sensitive data and enabling them to disrupt business operations. The business impact and consequences of exploitation are severe, as it can lead to data breaches, financial losses, and reputational damage. Notably, exploitation is conditional on specific plugin configurations, requiring the targeted content element to be explicitly configured with "Persistent Mode: Static" within the plugin options.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update the mmc /ceselector extension to version 6.0.1, 5.0.1, 4.0.2, or 3.0.3.
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/typo3-extension-content-element-selector-rce-cve-2026-46725/