XML External Entity Injection in extension “Faceted Search” (ke_search)

5.9 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N

Description

The OOXML parsing of the file indexer does not disable external entity resolution. A crafted xlsx or pptx document placed in an indexed directory can cause local files to be read or outbound HTTP requests to be performed, with the retrieved content being written to the search index.

Basic Information

ID CVE-2026-46722

Source TYPO3

Published May 19, 2026 at 09:23

Affected Product

Vendor TYPO3

Product Extension "Faceted Search"

Version 7.0.0

Affected Versions TYPO3 Extension "Faceted Search" 7.0.0
TYPO3 Extension "Faceted Search" 6.0.0
TYPO3 Extension "Faceted Search" 0

CWE Classification

CWE-611

References

typo3.org /security/advisory/typo3-ext-sa-2026-011

{
    "lastseen": "",
    "description": "The OOXML parsing of the file indexer does not disable external entity resolution. A crafted xlsx or pptx document placed in an indexed directory can cause local files to be read or outbound HTTP requests to be performed, with the retrieved content being written to the search index.",
    "published": "2026-05-19T09:23:02.618Z",
    "modified": "2026-05-19T09:23:02.618Z",
    "type": "cve",
    "title": "XML External Entity Injection in extension \"Faceted Search\" (ke_search)",
    "source": "TYPO3",
    "references": "https://typo3.org/security/advisory/typo3-ext-sa-2026-011",
    "id": "CVE-2026-46722",
    "bulletinFamily": "",
    "cwe": [
        "CWE-611"
    ],
    "cvelist": null,
    "sourceData": "TYPO3 Extension \"Faceted Search\" 7.0.0\nTYPO3 Extension \"Faceted Search\" 6.0.0\nTYPO3 Extension \"Faceted Search\" 0",
    "sourceHref": "",
    "cvss": {
        "score": 5.9,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Extension \"Faceted Search\"",
    "version": "7.0.0",
    "vendor": "TYPO3",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

XML External Entity Injection in extension “Faceted Search” (ke_search)_CVE-2026-46722