GHSA-8x3j-439w-537cCritical

TYPO3 Remote Code Execution in extension "Content Element Selector" (ceselector)

Published
May 19, 2026
Last Modified
June 29, 2026

🔗 CVE IDs covered (1)

📋 Description

The TYPO3 "Content Element Selector" (ceselector) extension passes an attacker-controlled cookie directly to PHP's unserialize() without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server. Exploitation requires the content element to be configured with Persistent Mode: Static in the plugin settings. This has been patched in version 3.0.3, 4.0.2, 5.0.1, and 6.0.1.

🎯 Affected products4

  • composer/mmc/ceselector:>= 6.0.0, < 6.0.1
  • composer/mmc/ceselector:>= 5.0.0, < 5.0.1
  • composer/mmc/ceselector:>= 4.0.0, < 4.0.2
  • composer/mmc/ceselector:< 3.0.3

🔗 References (4)