Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
The file indexer does not normalize the configured directory path. A backend user with permission to edit indexer configurations can index documents from arbitrary locations on the server file system through path traversal sequences.
AnalysisAI
Path traversal in the TYPO3 'Faceted Search' extension's file indexer exposes arbitrary server filesystem content to high-privileged backend users. Because the indexer does not normalize or canonicalize the configured directory path before use, a backend user holding the specific permission to edit indexer configurations can supply path traversal sequences to redirect indexing at sensitive locations outside the intended document root. The CVSS 4.0 score of 5.9 (Medium) reflects high confidentiality impact (VC:H) constrained by the requirement for high privileges (PR:H). No public exploit or CISA KEV listing exists at time of analysis.
Technical ContextAI
The vulnerability is rooted in CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), a classic path traversal weakness. TYPO3 is a PHP-based enterprise CMS; its 'Faceted Search' extension (CPE: cpe:2.3:a:typo3:extension_"faceted_search":*:*:*:*:*:*:*:*) provides a configurable file indexer that reads document directories and feeds their contents into a search index. The flaw arises because the extension accepts an administrator-supplied directory path and passes it to the indexer without first normalizing it - for example, resolving '..' sequences or anchoring to an allowed base path. As a result, sequences such as '../../etc/' or absolute paths can escape the intended directory boundary, causing the indexer to traverse and expose filesystem content the web application user account can read. The attack vector is Network (AV:N) because the configuration is submitted via TYPO3's web-based backend, though AT:P indicates additional prerequisites (the specific permission grant) must be in place.
RemediationAI
The primary fix is to update the TYPO3 'Faceted Search' extension to the patched version identified in the vendor advisory at https://typo3.org/security/advisory/typo3-ext-sa-2026-011. Patch available per vendor advisory; an exact fixed version number was not independently confirmed from the available input data and must be verified directly from that advisory. As a compensating control prior to patching, administrators should immediately audit and restrict the 'edit indexer configurations' backend permission, removing it from any role assigned to partially trusted users and retaining it only for fully trusted site administrators - this directly eliminates the PR:H attack vector for untrusted accounts. Additionally, enforcing PHP-level open_basedir restrictions or OS-level filesystem permissions that limit the web server process to only required document directories will reduce the blast radius of any path traversal attempt, though this may require testing to avoid disrupting legitimate indexer functionality.
More in Extension Faceted Search
View allXML External Entity (XXE) injection in the OOXML file indexer of the TYPO3 'Faceted Search' extension (EXT:faceted_searc
Sensitive internal TYPO3 database content can be exfiltrated into the public search index via the Faceted Search extensi
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30864
GHSA-c72x-mc2p-wv7x