Skip to main content

TYPO3 Faceted Search EUVDEUVD-2026-30863

| CVE-2026-46723 MEDIUM
Exposure of Resource to Wrong Sphere (CWE-668)
2026-05-19 TYPO3 GHSA-67j3-jmm3-32xc
5.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
May 19, 2026 - 11:16 EUVD
Analysis Generated
May 19, 2026 - 10:47 vuln.today
CVSS changed
May 19, 2026 - 10:22 NVD
5.9 (MEDIUM)

DescriptionCVE.org

The additional_tables configuration of the page and tt_content indexers accepts arbitrary table and field names. A backend user with permission to edit indexer configurations can copy sensitive data from internal TYPO3 tables into the search index.

AnalysisAI

Sensitive internal TYPO3 database content can be exfiltrated into the public search index via the Faceted Search extension's misconfigured additional_tables parameter. Backend users holding permission to edit indexer configurations can reference arbitrary internal database tables and fields - including those storing backend credentials, frontend user records, or other protected data - causing the search indexer to copy that data into the search index where it may be surfaced in search results or via API responses. No public exploit has been identified at time of analysis, and exploitation is constrained by the requirement for high-privilege backend access (PR:H per CVSS 4.0), placing this firmly in insider-threat and privilege-misuse risk scenarios.

Technical ContextAI

TYPO3's Faceted Search extension provides configurable full-text search indexing for page and tt_content records. Indexer configurations include an additional_tables parameter designed to allow administrators to extend indexing to related database tables. The root cause, classified as CWE-668 (Exposure of Resource to Wrong Sphere), is the absence of an allowlist or access control layer restricting which tables and fields this parameter can target. Because TYPO3's internal database contains sensitive tables not intended for search exposure - such as be_users (backend user records including password hashes), fe_users (frontend user accounts), and various sys_* system tables - an unconstrained additional_tables value crosses the boundary between the administrative sphere and the public search sphere. The affected CPE is cpe:2.3:a:typo3:extension_faceted_search:*:*:*:*:*:*:*:*, indicating the extension across all tracked versions. The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:H/UI:N) confirms network-accessible exploitation path but with present attack requirements and high-privilege prerequisite.

RemediationAI

Consult the TYPO3 security advisory at https://typo3.org/security/advisory/typo3-ext-sa-2026-011 and apply the patched version of the Faceted Search extension as directed; the exact fixed version must be obtained from the advisory as it was not confirmed in the available data. As an immediate compensating control, administrators should audit backend user role assignments and revoke permission to edit Faceted Search indexer configurations from any user who does not require it operationally - this directly eliminates the attack surface. Additionally, review all existing indexer configurations for unauthorized references to sensitive internal tables (be_users, fe_users, sys_*) in the additional_tables field and remove them. Search index contents should be audited and re-indexed after remediation to purge any previously exfiltrated sensitive data. Restricting Faceted Search indexer configuration access to a minimal set of trusted administrators is the most effective compensating control pending patching, with no meaningful functional side effects for normal site operation.

Share

EUVD-2026-30863 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy