Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Editors with access to create or modify page content were able to include HTML markup in page titles that were stored in the search index without sanitization. When displayed in frontend search results via the Indexed Search plugin, these titles were rendered without proper output encoding, resulting in a Cross-Site Scripting vulnerability. This issue affects TYPO3 CMS versions 13.0.0-13.4.30 and 14.0.0-14.3.2.
AnalysisAI
Stored Cross-Site Scripting in TYPO3 CMS allows authenticated editors to embed raw HTML and JavaScript payloads into page titles that are written to the search index without sanitization. When the EXT:indexed_search (Indexed Search) plugin renders frontend search results, these unsanitized titles are output directly into the HTML response, executing attacker-controlled scripts in the browsers of any user who views those results. No public exploit or CISA KEV listing is identified at time of analysis, but the stored nature of the XSS - requiring only a single malicious edit to affect many users over time - elevates practical impact beyond what the medium CVSS 4.0 score of 5.1 might suggest.
Technical ContextAI
TYPO3 CMS is a PHP-based enterprise content management system. The vulnerability resides in EXT:indexed_search, a bundled TYPO3 system extension that crawls and indexes page content for frontend full-text search. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation): the SearchController class at typo3/sysext/indexed_search/Classes/Controller/SearchController.php retrieved the stored page title from the search index and passed it to the compileSingleResultRow() method without applying htmlspecialchars() before interpolating it into the HTML output. Critically, the title was sanitized inline only when placed inside an anchor tag, leaving other rendering paths unprotected; the fix (commit 2e96dd0e) adds a blanket htmlspecialchars($title) call at the point of retrieval so the value is safe in all downstream contexts. The CPE-implied scope covers TYPO3 Core versions 13.0.0 through 13.4.30 and 14.0.0 through 14.3.2.
RemediationAI
The upstream fix is confirmed available via TYPO3 security advisory typo3-core-sa-2026-010 (https://typo3.org/security/advisory/typo3-core-sa-2026-010) and is patched in commits 2e96dd0e9fab7ad877b741fb9f6fc645b4270a3e and 8004b91a5951cfe01dda8554f77d0daa82d6b899 on the TYPO3 GitHub repository. Exact patched release version numbers (e.g., 13.4.31, 14.3.3) are not explicitly stated in the available input data - consult the vendor advisory for the precise upgrade target before deploying. For sites that cannot patch immediately, two targeted compensating controls are available with trade-offs: first, restrict backend editor roles so that only fully trusted accounts have page-editing permissions, reducing the likelihood of malicious title injection at the cost of reduced editorial autonomy; second, disable or remove EXT:indexed_search from the active frontend installation (disabling the plugin removes the vulnerable rendering path entirely but also disables site search functionality). Re-indexing after upgrade is advisable to purge any previously stored unsanitized titles from the search index.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35395
GHSA-cg75-qfg2-w9hj