PatchSiren cyber security CVE debrief
CVE-2026-46725 TYPO3 CVE debrief
CVE-2026-46725 describes a critical PHP object injection issue in a TYPO3-related extension. An attacker can supply a crafted cookie that is passed directly into PHP unserialize() without safe handling. If the affected content element is configured with Persistent Mode: Static, a remote unauthenticated attacker may be able to trigger code execution on the TYPO3 server. The vulnerability is rated CVSS 9.2 and maps to CWE-502.
- Vendor
- TYPO3
- Product
- Extension "Content Element Selector"
- CVSS
- CRITICAL 9.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-19
Who should care
TYPO3 administrators and developers who use the affected extension or content element configuration, especially deployments with Persistent Mode: Static enabled. Security teams responsible for public-facing TYPO3 installations should treat this as urgent until the affected package and configuration scope are confirmed.
Technical summary
The issue stems from unsafe deserialization of attacker-controlled cookie data. Because PHP unserialize() can instantiate objects from serialized input, this pattern can permit object injection when the input is not strictly validated or constrained. The supplied record and vendor advisory reference indicate unauthenticated network reachability, with impact described as remote code execution on the TYPO3 server. The NVD entry also classifies the weakness as CWE-502.
Defensive priority
Immediate
Recommended defensive actions
- Identify the affected TYPO3 extension or integration referenced by the vendor advisory and confirm whether Persistent Mode: Static is enabled.
- Apply the vendor-provided fix or mitigation from the TYPO3 security advisory as soon as it is available.
- Disable or reconfigure the affected content element feature if Persistent Mode: Static is not required.
- Audit server-side code for any use of PHP unserialize() on request cookies or other client-controlled input.
- Review web logs for unusual cookie values or unexpected serialization patterns associated with the affected endpoint.
- Restrict exposure of the affected TYPO3 instance where possible until remediation is complete.
Evidence notes
The debrief is based on the supplied NVD record, which cites the TYPO3 security advisory URL and classifies the issue as CWE-502. The source description states that an attacker-controlled cookie is passed to PHP unserialize(), enabling PHP Object Injection and potential RCE, with exploitation dependent on the content element being configured for Persistent Mode: Static. No affected version list or patch details were provided in the supplied corpus.
Official resources
-
CVE-2026-46725 CVE record
CVE.org
-
CVE-2026-46725 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
f4fb688c-4412-4426-b4b8-421ecf27b14a
Published by the CVE/NVD record on 2026-05-19T10:16:25.457Z. The supplied source references the TYPO3 security advisory as the vendor-linked disclosure source.