CVE-2026-46722

MEDIUM

XML External Entity Injection in extension "Faceted Search" (ke_search)

Title source: cna

Description

The OOXML parsing of the file indexer does not disable external entity resolution. A crafted xlsx or pptx document placed in an indexed directory can cause local files to be read or outbound HTTP requests to be performed, with the retrieved content being written to the search index.

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

https://typo3.org/security/advisory/typo3-ext-sa-2026-011

Scores

CVSS v4 5.9

EPSS 0.0004

EPSS Percentile 12.5%

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-611

Status published

Products (3)

TYPO3/Extension "Faceted Search" < 5.6.2

TYPO3/Extension "Faceted Search" 6.0.0 - 6.6.1

TYPO3/Extension "Faceted Search" 7.0.0 - 7.0.1

Published May 19, 2026

Tracked Since May 19, 2026