Deserialization in Typo3 Extension "Content Element Selector"

CVE-2026-46725

The extension passes an attacker-controlled cookie directly to PHP's unserialize() without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to…

Vulnerability class: Insecure Deserialization

EPSS: 0.033 (87.4th percentile) — read the EPSS interpretation.