CVE-2026-46725 – Remote Code Execution in extension “Content Element Selector” (ceselector)

CVE ID :CVE-2026-46725

Published : May 19, 2026, 10:16 a.m. | 44 minutes ago

Description :The extension passes an attacker-controlled cookie directly to PHP’s unserialize() without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server. Exploitation requires the content element to be configured with “Persistent Mode: Static” in the plugin settings.

Severity: 9.2 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…