Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
The OOXML parsing of the file indexer does not disable external entity resolution. A crafted xlsx or pptx document placed in an indexed directory can cause local files to be read or outbound HTTP requests to be performed, with the retrieved content being written to the search index.
AnalysisAI
XML External Entity (XXE) injection in the OOXML file indexer of the TYPO3 'Faceted Search' extension (EXT:faceted_search) allows a high-privileged authenticated attacker to cause the server to disclose local file contents or perform outbound HTTP requests (SSRF), with retrieved data written to the search index. Exploitation requires placing a crafted XLSX or PPTX document into a directory processed by the indexer. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Technical ContextAI
The root cause is CWE-611 (Improper Restriction of XML External Entity Reference). OOXML formats - Office Open XML files such as XLSX (Excel) and PPTX (PowerPoint) - are ZIP archives containing XML documents. A conforming XML parser that does not explicitly disable external entity (XXE) resolution will follow DOCTYPE ENTITY declarations to external URIs or local file paths. The TYPO3 Faceted Search extension's file indexer parses these OOXML documents to extract content for the search index, but fails to configure the XML parser with safe defaults (e.g., disabling LIBXML_NONET and LIBXML_NOENT in PHP). The affected product is identified by CPE cpe:2.3:a:typo3:extension_'faceted_search':*:*:*:*:*:*:*:* - the wildcard version field indicates the full version range has not been narrowed in NVD data, and the specific affected/fixed versions are documented in the vendor advisory.
RemediationAI
The primary remediation is to apply the patched version of the TYPO3 Faceted Search extension as documented in the vendor advisory at https://typo3.org/security/advisory/typo3-ext-sa-2026-011. The exact fixed version number is not confirmed in the available input data - consult the advisory directly to identify the minimum safe release and update via the TYPO3 Extension Manager or Composer. If immediate patching is not possible, the most targeted compensating control is to prevent untrusted or semi-trusted backend users from placing XLSX or PPTX files into directories processed by the Faceted Search indexer - this can be achieved by reviewing and restricting file mount permissions in TYPO3 backend user/group configuration. Administrators should also consider temporarily disabling the file indexing feature for OOXML types if the extension allows per-type indexing configuration. Note that restricting file uploads in the backend may impact legitimate editor workflows. Additionally, in cloud environments, block outbound HTTP to instance metadata endpoints (e.g., 169.254.169.254) at the network or host firewall level to limit SSRF impact.
More in Extension Faceted Search
View allPath traversal in the TYPO3 'Faceted Search' extension's file indexer exposes arbitrary server filesystem content to hig
Sensitive internal TYPO3 database content can be exfiltrated into the public search index via the Faceted Search extensi
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30859
GHSA-fq39-62gx-8hqx