THE TYPO3 project has issued a critical security advisory regarding a remote code execution (RCE) vulnerability (CVE-2026-46725) affecting the "Content Element Selector" plugin. This vulnerability arises from an insecure deserialization issue, allowing unauthorized attackers to execute arbitrary code on TYPO3 servers. The flaw affects multiple versions of the extension and can be exploited if specific plugin configurations ("Persistent Mode: Static") are used.
Affected versions include 3.0.2 and earlier up to 6.0.0. Site administrators are urged to update to patched versions (6.0.1, 5.0.1, 4.0.2, 3.0.3) immediately to mitigate risks.