CVE-2026-46722

MEDIUM

XML External Entity Injection in extension "Faceted Search" (ke_search)

Title source: cna
STIX 2.1

Description

The OOXML parsing of the file indexer does not disable external entity resolution. A crafted xlsx or pptx document placed in an indexed directory can cause local files to be read or outbound HTTP requests to be performed, with the retrieved content being written to the search index.

References (1)

Core 1
Core References

Scores

CVSS v4 5.9
EPSS 0.0030
EPSS Percentile 22.0%
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-611
Status published
Products (9)
tpwd/ke_search 0 - 4.6.7Packagist
tpwd/ke_search 5.0.0 - 5.6.2Packagist
tpwd/ke_search 6.0.0 - 6.6.1Packagist
tpwd/ke_search 7.0.0 - 7.0.1Packagist
TYPO3/Extension "Faceted Search" < 4.6.7
TYPO3/Extension "Faceted Search" < 5.6.2
TYPO3/Extension "Faceted Search" 5.0.0 - 5.6.2
TYPO3/Extension "Faceted Search" 6.0.0 - 6.6.1
TYPO3/Extension "Faceted Search" 7.0.0 - 7.0.1
Published May 19, 2026
Tracked Since May 19, 2026