Critical TYPO3 Extension Exploit: Content Element Selector Flaw (CVE-2026-46725) Triggers Unauthenticated RCE

The TYPO3 project has announced a critical security vulnerability affecting a popular third-party extension. The advisory, tagged as TYPO3-EXT-SA-2026-013, alerts administrators to a dangerous remote code execution (RCE) path hidden inside the “Content Element Selector” plugin.

Since the flaw can allow completely unauthenticated attackers to hijack vulnerable web servers, teams managing TYPO3 deployments need to verify their installed extensions immediately.

Tracked as CVE-2026-46725 (CVSS 9.2), the underlying flaw stems from an insecure deserialization issue (CWE-502). The extension falls short when handling untrusted client information. Specifically, it feeds data from an attacker-controlled browser cookie directly into PHP’s high-risk unserialize() function.

This programming oversight sets the stage for a classic PHP Object Injection exploit. A remote, unauthenticated bad actor can construct a malicious serialized payload within their cookie. When the server processes the request, the payload triggers arbitrary code execution on the underlying TYPO3 server.

However, the threat carries a specific constraint. For an attack to succeed, your plugin configurations must align with a specific setting. The targeted content element has to be explicitly configured with “Persistent Mode: Static” within the plugin options. If your setup matches this requirement, your site faces a critical threat vector.

Because this is a third-party extension (mmc/ceselector), it will not show up in standard, vanilla TYPO3 core installations. The critical bug spans multiple legacy and active release tracks, impacting the following versions:

• 6.0.0
• 5.0.0
• 4.0.0 through 4.0.1
• 3.0.2 and all previous iterations

If you run this extension on your production systems, you should patch it as soon as possible to mitigate the risk. The project maintainers have distributed fixed versions across Packagist, the official TYPO3 extension manager, and via direct ZIP downloads.

To protect your infrastructure, upgrade to one of these safe versions depending on your branch:

• 6.0.1
• 5.0.1
• 4.0.2
• 3.0.3

For senior security leaders, this serves as another classic reminder to audit third-party plugins. For system admins, a fast update cycle now avoids a costly cleanup session later.