FixVibe
Research notecritical

TYPO3 Content Element Selector Remote Code Execution (CVE-2026-46725)

The TYPO3 extension 'Content Element Selector' (ceselector) is vulnerable to Remote Code Execution (RCE) due to insecure deserialization of user-supplied data. Attackers can exploit this to execute arbitrary PHP code on the server.

CVE-2026-46725GHSA-8x3j-439w-537cCWE-502

Impact

An attacker can achieve full Remote Code Execution (RCE) on the underlying server hosting the TYPO3 instance [S3]. By sending a specially crafted payload to an endpoint managed by the "Content Element Selector" (ceselector) extension, an unauthenticated or low-privileged user can trigger the execution of arbitrary PHP code [S3]. This typically leads to complete system compromise, data exfiltration, or persistent backdoor installation [S3].

Root Cause

The vulnerability stems from the use of insecure deserialization (CWE-502) within the extension's logic [S3]. Specifically, the application processes serialized data from an untrusted source without sufficient validation or integrity checks [S3]. In PHP environments, passing untrusted strings to the unserialize() function allows attackers to instantiate arbitrary objects and trigger "magic methods" that execute code [S3].

Technical Details

The affected extension, mmc/ceselector, fails to protect its data processing routines in versions up to 6.0.0 [S3]. The flaw is categorized as a critical deserialization issue with a CVSS score of 9.2 [S3]. This suggests the entry point is likely a request parameter or cookie that is directly passed into a deserialization routine within the extension's content element selection logic [S3].

Remediation

Users of the mmc/ceselector extension should take the following actions:

  • Update immediately: Users should check for updates from the vendor mmc that address CVE-2026-46725 [S3].
  • Disable the extension: If an update is not available, disable the "Content Element Selector" extension to mitigate the risk of exploitation [S3].
  • Input Validation: Ensure that no user-controllable data is passed to PHP's unserialize() function. Use safer alternatives like json_decode() for data interchange [S3].
TYPO3 Content Element Selector Remote Code Execution (CVE-2026-46725) β€” FixVibe research Β· FixVibe