CVE-2026-46722 MEDIUM

CVE-2026-46722: XML External Entity Injection in extension "Faceted Search" (ke_search)

Vendor Typo3
Product Extension "Faceted Search"
Weakness CWE-611 · XXE
Published May 19, 2026
Last update June 3, 2026

CVSS base score

5.9/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N

What the vulnerability does

01Description

The OOXML parsing of the file indexer does not disable external entity resolution. A crafted xlsx or pptx document placed in an indexed directory can cause local files to be read or outbound HTTP requests to be performed, with the retrieved content being written to the search index.

Key dates

02Disclosure timeline

May 19, 2026 CVE published
June 3, 2026 Record updated