CVE-2026-46722
MEDIUMXML External Entity Injection in extension "Faceted Search" (ke_search)
Title source: cnaDescription
The OOXML parsing of the file indexer does not disable external entity resolution. A crafted xlsx or pptx document placed in an indexed directory can cause local files to be read or outbound HTTP requests to be performed, with the retrieved content being written to the search index.
References (1)
Core 1
Core References
Vendor Advisory vendor-advisory
https://typo3.org/security/advisory/typo3-ext-sa-2026-011
Scores
CVSS v4
5.9
EPSS
0.0030
EPSS Percentile
22.0%
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-611
Status
published
Products (9)
tpwd/ke_search
0 - 4.6.7Packagist
tpwd/ke_search
5.0.0 - 5.6.2Packagist
tpwd/ke_search
6.0.0 - 6.6.1Packagist
tpwd/ke_search
7.0.0 - 7.0.1Packagist
TYPO3/Extension "Faceted Search"
< 4.6.7
TYPO3/Extension "Faceted Search"
< 5.6.2
TYPO3/Extension "Faceted Search"
5.0.0 - 5.6.2
TYPO3/Extension "Faceted Search"
6.0.0 - 6.6.1
TYPO3/Extension "Faceted Search"
7.0.0 - 7.0.1
Published
May 19, 2026
Tracked Since
May 19, 2026