Typo3 · Typo3 Extension · CVE-2026-46725
**Name of the Vulnerable Software and Affected Versions**
Content Element Selector (ceselector) (affected versions not specified)
**Description**
The extension passes an attacker-controlled cookie directly to the `unserialize()` function without safe processing. A remote, unauthenticated attacker can provide a crafted serialized payload to trigger PHP Object Injection, which allows for Remote Code Execution on the TYPO3 server. This issue occurs when the content element is configured with "Persistent Mode: Static" in the plugin settings. Over 294,700 TYPO3 CMS surfaces were indexed by FOFA in the past year.
**Recommendations**
At the moment, there is no information about a newer version that contains a fix for this vulnerability.