Skip to main content

TYPO3 Faceted Search CVE-2026-46722

| EUVDEUVD-2026-30859 MEDIUM
Improper Restriction of XML External Entity Reference (CWE-611)
2026-05-19 TYPO3 GHSA-fq39-62gx-8hqx
5.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
May 19, 2026 - 11:16 EUVD
Analysis Generated
May 19, 2026 - 10:48 vuln.today
CVSS changed
May 19, 2026 - 10:22 NVD
5.9 (MEDIUM)

DescriptionCVE.org

The OOXML parsing of the file indexer does not disable external entity resolution. A crafted xlsx or pptx document placed in an indexed directory can cause local files to be read or outbound HTTP requests to be performed, with the retrieved content being written to the search index.

AnalysisAI

XML External Entity (XXE) injection in the OOXML file indexer of the TYPO3 'Faceted Search' extension (EXT:faceted_search) allows a high-privileged authenticated attacker to cause the server to disclose local file contents or perform outbound HTTP requests (SSRF), with retrieved data written to the search index. Exploitation requires placing a crafted XLSX or PPTX document into a directory processed by the indexer. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Technical ContextAI

The root cause is CWE-611 (Improper Restriction of XML External Entity Reference). OOXML formats - Office Open XML files such as XLSX (Excel) and PPTX (PowerPoint) - are ZIP archives containing XML documents. A conforming XML parser that does not explicitly disable external entity (XXE) resolution will follow DOCTYPE ENTITY declarations to external URIs or local file paths. The TYPO3 Faceted Search extension's file indexer parses these OOXML documents to extract content for the search index, but fails to configure the XML parser with safe defaults (e.g., disabling LIBXML_NONET and LIBXML_NOENT in PHP). The affected product is identified by CPE cpe:2.3:a:typo3:extension_'faceted_search':*:*:*:*:*:*:*:* - the wildcard version field indicates the full version range has not been narrowed in NVD data, and the specific affected/fixed versions are documented in the vendor advisory.

RemediationAI

The primary remediation is to apply the patched version of the TYPO3 Faceted Search extension as documented in the vendor advisory at https://typo3.org/security/advisory/typo3-ext-sa-2026-011. The exact fixed version number is not confirmed in the available input data - consult the advisory directly to identify the minimum safe release and update via the TYPO3 Extension Manager or Composer. If immediate patching is not possible, the most targeted compensating control is to prevent untrusted or semi-trusted backend users from placing XLSX or PPTX files into directories processed by the Faceted Search indexer - this can be achieved by reviewing and restricting file mount permissions in TYPO3 backend user/group configuration. Administrators should also consider temporarily disabling the file indexing feature for OOXML types if the extension allows per-type indexing configuration. Note that restricting file uploads in the backend may impact legitimate editor workflows. Additionally, in cloud environments, block outbound HTTP to instance metadata endpoints (e.g., 169.254.169.254) at the network or host firewall level to limit SSRF impact.

Share

CVE-2026-46722 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy