TYPO3 OOXML Indexer: XML External Entity (XXE) Exploit
CVE-2026-46722 Published on May 19, 2026
XML External Entity Injection in extension "Faceted Search" (ke_search)
The OOXML parsing of the file indexer does not disable external entity resolution. A crafted xlsx or pptx document placed in an indexed directory can cause local files to be read or outbound HTTP requests to be performed, with the retrieved content being written to the search index.
Weakness Type
What is a XXE Vulnerability?
The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
CVE-2026-46722 has been classified to as a XXE vulnerability or weakness.
Affected Versions
TYPO3 Extension "Faceted Search":- Version 7.0.0 and below 7.0.1 is affected.
- Version 6.0.0 and below 6.6.1 is affected.
- Version 5.0.0 and below 5.6.2 is affected.
- Before 4.6.7 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.