CVE-2026-46725 Overview
CVE-2026-46725 is a critical PHP Object Injection vulnerability in a TYPO3 extension that passes an attacker-controlled cookie directly into PHP's unserialize() function. A remote, unauthenticated attacker can submit a crafted serialized payload to trigger object instantiation and gadget-chain execution, resulting in Remote Code Execution (RCE) on the TYPO3 server. Exploitation requires the affected content element to be configured with Persistent Mode: Static in the plugin settings. The flaw is classified under CWE-502: Deserialization of Untrusted Data.
Critical Impact
Unauthenticated remote attackers can achieve Remote Code Execution on TYPO3 servers running affected extension configurations by sending a single crafted cookie.
Affected Products
- TYPO3 CMS extension referenced in TYPO3-EXT-SA-2026-013
- TYPO3 installations where the affected plugin uses Persistent Mode: Static
- TYPO3 web servers exposing the vulnerable content element to unauthenticated clients
Discovery Timeline
- 2026-05-19 - CVE-2026-46725 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-46725
Vulnerability Analysis
The vulnerability lies in how the TYPO3 extension restores plugin state from a client-supplied cookie. The extension reads the cookie value and forwards it directly to PHP's unserialize() without validation or signature verification. PHP's unserialize() reconstructs arbitrary objects and invokes magic methods such as __wakeup(), __destruct(), and __toString() during the process.
An attacker who controls the serialized payload can chain existing classes loaded in the TYPO3 runtime to build a property-oriented programming (POP) gadget chain. These chains typically end in dangerous sinks such as file writes, SQL execution, or system()-like calls, producing Remote Code Execution under the privileges of the PHP-FPM or web server process.
Root Cause
The root cause is unsafe deserialization of untrusted input [CWE-502]. The extension treats the cookie as trusted session state instead of opaque attacker-controlled data. No integrity check, HMAC, or allow-list of serializable classes protects the call to unserialize(). The dependency on Persistent Mode: Static reflects the code path where the extension stores and rehydrates plugin state through cookies.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker issues an HTTP request to any TYPO3 page rendering the vulnerable plugin and sets the targeted cookie to a serialized PHP gadget chain. On the next request processing cycle, the extension deserializes the payload and executes the gadget chain. The vulnerability mechanism is documented in the TYPO3 Security Advisory.
Detection Methods for CVE-2026-46725
Indicators of Compromise
- Inbound HTTP requests containing cookie values beginning with PHP serialization markers such as O:, a:, or s:.
- Unexpected child processes spawned by the PHP-FPM or Apache worker process, including sh, bash, curl, or wget.
- New or modified files under the TYPO3 document root, particularly PHP files inside typo3temp/, fileadmin/, or extension directories.
- Outbound network connections from the web server to attacker-controlled hosts immediately after suspicious cookie traffic.
Detection Strategies
- Inspect web server and reverse proxy logs for cookie headers containing serialized PHP object signatures and block or alert on matches.
- Monitor PHP error logs for unserialize() warnings, class-not-found errors, and __wakeup or __destruct exceptions tied to the affected extension.
- Correlate web request telemetry with endpoint process creation events to identify web-server-spawned shells.
Monitoring Recommendations
- Enable detailed access logging that captures full Cookie headers on TYPO3 front-end controllers.
- Forward web, PHP, and host telemetry to a centralized analytics platform and alert on web-process-to-shell process lineage.
- Track file integrity for the TYPO3 web root and flag new PHP files written by the web server user.
How to Mitigate CVE-2026-46725
Immediate Actions Required
- Apply the fixed extension version listed in TYPO3-EXT-SA-2026-013 immediately.
- Audit TYPO3 sites for content elements configured with Persistent Mode: Static and disable the setting until patched.
- Rotate any TYPO3 backend credentials, API tokens, and database secrets that may have been exposed on compromised hosts.
- Review web server file systems for unauthorized PHP files and persistence artifacts.
Patch Information
The vendor has published fixed versions through the TYPO3 extension repository. Review the TYPO3 Security Advisory TYPO3-EXT-SA-2026-013 for the exact fixed releases and upgrade instructions. Update the extension through Composer or the TYPO3 Extension Manager, then clear all TYPO3 caches.
Workarounds
- Switch affected plugins away from Persistent Mode: Static to a non-vulnerable persistence mode until the patch is deployed.
- Deploy a Web Application Firewall (WAF) rule that rejects requests where the affected cookie contains PHP serialization markers such as O: followed by a class name.
- Restrict access to TYPO3 pages that render the vulnerable plugin using network ACLs or authentication where business requirements allow.
# Example WAF / nginx rule to drop requests with serialized PHP objects in the targeted cookie
if ($http_cookie ~* "(^|;\s*)affected_cookie_name=O:[0-9]+:") {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
