External risk intelligence

TYPO3 server takeover via crafted cookies

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-46725

A critical vulnerability in TYPO3 allows unauthenticated attackers to run malicious code on your server by sending a specially crafted cookie, potentially leading to full server compromise.

4Halo Surface Signal

Deserialization

External exposure likelihood

Halo Surface Signal score for CVE-2026-46725

TYPO3 is a content management system typically deployed as a public-facing web application. Since the vulnerability involves processing HTTP cookies, which is a standard function for internet-accessible web services, the vulnerable interface is commonly exposed to the public internet.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This security flaw in TYPO3 allows an unauthenticated attacker to execute code remotely on the server. The issue stems from how the extension handles user-provided cookie data, which is then passed to a vulnerable PHP function without proper checks. This could lead to a complete compromise of the server if the plugin is configured in a specific way.

  • Attackers can gain control of the server.
  • This affects TYPO3 instances with specific configurations.

Attack Path

How an attacker could exploit the issue

A remote attacker can exploit this vulnerability by sending a specially crafted cookie to a TYPO3 server. If the vulnerable extension is configured to use "Persistent Mode: Static", the attacker's payload can trigger PHP Object Injection, allowing them to execute arbitrary code on the server. This bypasses authentication and requires no user interaction.

  • Unauthenticated remote attacker.
  • Targets TYPO3 server.
  • Requires specific plugin configuration.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability offers a direct path to Remote Code Execution on TYPO3 servers, a common target for attackers. The ability for an unauthenticated attacker to leverage this through a crafted cookie, especially if the plugin is configured for static mode, presents a significant risk. While the specific configuration requirement might slightly limit immediate widespread exploitation, the severity of the outcome makes it a prime candidate for targeted attacks or inclusion in exploit kits.

  • Unauthenticated RCE is highly desirable.
  • Public exploit code is not yet observed.
  • Recent advisory publication.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize immediate investigation of TYPO3 logs for signs of attempted exploitation of the PHP Object Injection vulnerability in the extension. If exploitation is detected or the extension is confirmed to be configured with "Persistent Mode: Static," isolate or take affected services offline until a patch can be applied.

  • Review extension configuration for "Persistent Mode: Static."
  • Block unauthenticated requests with suspicious serialized payloads.
  • Monitor for outbound network connections from TYPO3 servers.

Frequently asked questions

What is TYPO3 and its primary use case?

TYPO3 is a versatile open-source content management system used globally by organizations to manage and publish digital content for websites and applications, from basic sites to complex enterprise portals.

How does CVE-2026-46725 lead to remote code execution?

CVE-2026-46725 is a PHP Object Injection vulnerability. An attacker-controlled cookie is passed to PHP's unserialize() function without sanitization, allowing a crafted payload to execute arbitrary code on the TYPO3 server.

What is the weakness class and trigger path for CVE-2026-46725?

The weakness class is CWE-502 (Deserialization of Untrusted Data). The trigger path involves an attacker sending a crafted serialized payload in a cookie to the affected TYPO3 extension.

What is the relevance of CVE-2026-46725, considering Halo Surface Signal?

Halo classifies this CVE as external with a score of 4 (Likely), indicating its high relevance. TYPO3 is a public-facing web application, and the vulnerability involves processing HTTP cookies, a common interface exposed to the internet.

What practical steps should be taken in response to CVE-2026-46725?

Investigate TYPO3 logs for exploitation attempts. Review the extension's configuration for 'Persistent Mode: Static.' Block suspicious requests and monitor TYPO3 servers for unusual outbound network activity until a patch is applied.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished