TYPO3 Content Element Selector
4 remedies
cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*
4 remedies
- >= 3.0.3, < 3.0.3
- 4.0.0 - 4.0.1
- 5.0.0
- 6.0.0
TYPO3 Content Element Selector Extension Remote Code Execution Vulnerability
Vulnerability
Patched
A remote code execution vulnerability has been identified in the TYPO3 extension 'Content Element Selector' (ceselector), specifically in versions 6.0.0, 5.0.0, 4.0.0 - 4.0.1, and 3.0.2 and below. The issue arises from the extension's failure to properly sanitize an attacker-controlled cookie before passing it to PHP's unserialize() function. This vulnerability allows for PHP Object Injection, which can be exploited to execute arbitrary code on the TYPO3 server. Successful exploitation requires the content element to be set to 'Persistent Mode: Static' in the plugin settings.
Impact
Exploitation of this vulnerability allows for remote code execution on the TYPO3 server.
Remediation
Users are advised to update the 'Content Element Selector' extension to version 6.0.1, 5.0.1, 4.0.2, or 3.0.3. These versions are available through the TYPO3 Extension Manager, Packagist, and the TYPO3 Extensions Repository.
Added: May 19, 2026, 10:20 AM
Updated: May 19, 2026, 10:20 AM
Vulnerability Rating
Custom Algorithm
spread
6.4impact
7.5exploitability
6.2remediation
3.1relevance
8.7threat
0.1urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.