Info Disclosure through Arbitrary Table Injection in TYPO3 Search Indexer
CVE-2026-46723 Published on May 19, 2026

Information Disclosure in extension "Faceted Search" (ke_search)
The additional_tables configuration of the page and tt_content indexers accepts arbitrary table and field names. A backend user with permission to edit indexer configurations can copy sensitive data from internal TYPO3 tables into the search index.

Vendor Advisory NVD

Weakness Type

Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Affected Versions

TYPO3 Extension "Faceted Search":

Version 7.0.0 and below 7.0.1 is affected.
Version 6.0.0 and below 6.6.1 is affected.
Before 5.6.2 is affected.

Exploit Probability

EPSS

0.32%

Percentile

23.35%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

Info Disclosure through Arbitrary Table Injection in TYPO3 Search IndexerCVE-2026-46723 Published on May 19, 2026

Weakness Type

Exposure of Resource to Wrong Sphere

Affected Versions

Exploit Probability

Info Disclosure through Arbitrary Table Injection in TYPO3 Search Indexer
CVE-2026-46723 Published on May 19, 2026