Home

Description

The extension passes an attacker-controlled cookie directly to PHP's unserialize() without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server. Exploitation requires the content element to be configured with "Persistent Mode: Static" in the plugin settings.

PUBLISHED Reserved 2026-05-16 | Published 2026-05-19 | Updated 2026-05-19 | Assigner TYPO3




CRITICAL: 9.2CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-502 Deserialization of Untrusted Data

Product status

Default status
unaffected

6.0.0 (semver) before 6.0.1
affected

5.0.0 (semver) before 5.0.1
affected

4.0.0 (semver) before 4.0.2
affected

Any version before 3.0.3
affected

Credits

Torben Hansen reporter

Matthias Mächler remediation developer

References

typo3.org/security/advisory/typo3-ext-sa-2026-013 vendor-advisory

cve.org (CVE-2026-46725)

nvd.nist.gov (CVE-2026-46725)

Download JSON