Skip to main content

Typesense

2 CVEs product

Monthly

CVE-2026-47216 HIGH PATCH This Week

Unauthenticated denial-of-service in Typesense search engine versions prior to 29.1 and 30.2 allows remote attackers to terminate the server process by sending a crafted request to the /multi_search endpoint. The flaw triggers an unhandled exception during request processing, causing complete service unavailability for the duration of restart and dataset reload. No public exploit identified at time of analysis, and the low EPSS score (0.10%) suggests limited current exploitation interest despite the high CVSS 4.0 score of 8.7.

Information Disclosure Typesense
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-47225 MEDIUM PATCH This Month

Cache isolation failure in Typesense's search engine exposes restricted search results across Scoped Search API Key authorization boundaries. When server-side caching and Scoped API Keys are both active, a specific sequence of requests can cause the cache to serve results to a scoped requester that were originally populated by a less-restricted context, effectively bypassing the embedded filter constraints of that key. Versions prior to 29.1 and 30.2 are affected; vendor-released patches exist in both release lines, with no public exploit identified and an EPSS of 0.05% (15th percentile) confirming low current exploitation probability.

Information Disclosure Typesense
NVD GitHub
CVSS 4.0
6.0
EPSS
0.0%
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Unauthenticated denial-of-service in Typesense search engine versions prior to 29.1 and 30.2 allows remote attackers to terminate the server process by sending a crafted request to the /multi_search endpoint. The flaw triggers an unhandled exception during request processing, causing complete service unavailability for the duration of restart and dataset reload. No public exploit identified at time of analysis, and the low EPSS score (0.10%) suggests limited current exploitation interest despite the high CVSS 4.0 score of 8.7.

Information Disclosure Typesense
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Cache isolation failure in Typesense's search engine exposes restricted search results across Scoped Search API Key authorization boundaries. When server-side caching and Scoped API Keys are both active, a specific sequence of requests can cause the cache to serve results to a scoped requester that were originally populated by a less-restricted context, effectively bypassing the embedded filter constraints of that key. Versions prior to 29.1 and 30.2 are affected; vendor-released patches exist in both release lines, with no public exploit identified and an EPSS of 0.05% (15th percentile) confirming low current exploitation probability.

Information Disclosure Typesense
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy