TYPO3 Remote Code Execution in extension "Content Element Selector" (ceselector)
Critical severity
GitHub Reviewed
Published
May 19, 2026
to the GitHub Advisory Database
•
Updated Jun 29, 2026
Package
Affected versions
>= 6.0.0, < 6.0.1
>= 5.0.0, < 5.0.1
>= 4.0.0, < 4.0.2
< 3.0.3
Patched versions
6.0.1
5.0.1
4.0.2
3.0.3
Description
Published by the National Vulnerability Database
May 19, 2026
Published to the GitHub Advisory Database
May 19, 2026
Reviewed
Jun 29, 2026
Last updated
Jun 29, 2026
The TYPO3 "Content Element Selector" (ceselector) extension passes an attacker-controlled cookie directly to PHP's
unserialize()without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server. Exploitation requires the content element to be configured withPersistent Mode: Staticin the plugin settings. This has been patched in version 3.0.3, 4.0.2, 5.0.1, and 6.0.1.References