CVE Catalog

CVE-2026-46725

Critical
Published: Translated: NVD NIST

Summary

The extension passes an attacker-controlled cookie directly to PHP's unserialize() without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server.

Risk Assessment

Exploitation of this vulnerability could allow an attacker to gain full control over the TYPO3 server, posing a serious security threat to the organization.

Recommendation

It is recommended to update the extension to the latest version and configure the content element with 'Persistent Mode: Static' disabled.

Original NVD description (English source)

The extension passes an attacker-controlled cookie directly to PHP's unserialize() without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server. Exploitation requires the content element to be configured with "Persistent Mode: Static" in the plugin settings.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS