Skip to main content

TYPO3 Faceted Search CVE-2026-46723

| EUVD-2026-30863 MEDIUM
Exposure of Resource to Wrong Sphere (CWE-668)
2026-05-19 TYPO3 GHSA-67j3-jmm3-32xc
Information Disclosure
5.9
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
May 19, 2026 - 11:16 EUVD
Analysis Generated
May 19, 2026 - 10:47 vuln.today
CVSS changed
May 19, 2026 - 10:22 NVD
5.9 (MEDIUM)

DescriptionNVD

The additional_tables configuration of the page and tt_content indexers accepts arbitrary table and field names. A backend user with permission to edit indexer configurations can copy sensitive data from internal TYPO3 tables into the search index.

AnalysisAI

Sensitive internal TYPO3 database content can be exfiltrated into the public search index via the Faceted Search extension's misconfigured additional_tables parameter. Backend users holding permission to edit indexer configurations can reference arbitrary internal database tables and fields - including those storing backend credentials, frontend user records, or other protected data - causing the search indexer to copy that data into the search index where it may be surfaced in search results or via API responses. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-46723 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy