Skip to main content

TYPO3 Faceted Search CVE-2026-46724

| EUVDEUVD-2026-30864 MEDIUM
Path Traversal (CWE-22)
2026-05-19 TYPO3 GHSA-c72x-mc2p-wv7x
5.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
May 19, 2026 - 11:16 EUVD
Analysis Generated
May 19, 2026 - 10:48 vuln.today
CVSS changed
May 19, 2026 - 10:22 NVD
5.9 (MEDIUM)

DescriptionCVE.org

The file indexer does not normalize the configured directory path. A backend user with permission to edit indexer configurations can index documents from arbitrary locations on the server file system through path traversal sequences.

AnalysisAI

Path traversal in the TYPO3 'Faceted Search' extension's file indexer exposes arbitrary server filesystem content to high-privileged backend users. Because the indexer does not normalize or canonicalize the configured directory path before use, a backend user holding the specific permission to edit indexer configurations can supply path traversal sequences to redirect indexing at sensitive locations outside the intended document root. The CVSS 4.0 score of 5.9 (Medium) reflects high confidentiality impact (VC:H) constrained by the requirement for high privileges (PR:H). No public exploit or CISA KEV listing exists at time of analysis.

Technical ContextAI

The vulnerability is rooted in CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), a classic path traversal weakness. TYPO3 is a PHP-based enterprise CMS; its 'Faceted Search' extension (CPE: cpe:2.3:a:typo3:extension_"faceted_search":*:*:*:*:*:*:*:*) provides a configurable file indexer that reads document directories and feeds their contents into a search index. The flaw arises because the extension accepts an administrator-supplied directory path and passes it to the indexer without first normalizing it - for example, resolving '..' sequences or anchoring to an allowed base path. As a result, sequences such as '../../etc/' or absolute paths can escape the intended directory boundary, causing the indexer to traverse and expose filesystem content the web application user account can read. The attack vector is Network (AV:N) because the configuration is submitted via TYPO3's web-based backend, though AT:P indicates additional prerequisites (the specific permission grant) must be in place.

RemediationAI

The primary fix is to update the TYPO3 'Faceted Search' extension to the patched version identified in the vendor advisory at https://typo3.org/security/advisory/typo3-ext-sa-2026-011. Patch available per vendor advisory; an exact fixed version number was not independently confirmed from the available input data and must be verified directly from that advisory. As a compensating control prior to patching, administrators should immediately audit and restrict the 'edit indexer configurations' backend permission, removing it from any role assigned to partially trusted users and retaining it only for fully trusted site administrators - this directly eliminates the PR:H attack vector for untrusted accounts. Additionally, enforcing PHP-level open_basedir restrictions or OS-level filesystem permissions that limit the web server process to only required document directories will reduce the blast radius of any path traversal attempt, though this may require testing to avoid disrupting legitimate indexer functionality.

Share

CVE-2026-46724 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy