Info Disclosure through Arbitrary Table Injection in TYPO3 Search Indexer
CVE-2026-46723 Published on May 19, 2026

Information Disclosure in extension "Faceted Search" (ke_search)
The additional_tables configuration of the page and tt_content indexers accepts arbitrary table and field names. A backend user with permission to edit indexer configurations can copy sensitive data from internal TYPO3 tables into the search index.

Vendor Advisory NVD

Weakness Type

Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Affected Versions

TYPO3 Extension "Faceted Search":

Version 7.0.0 and below 7.0.1 is affected.
Version 6.0.0 and below 6.6.1 is affected.
Before 5.6.2 is affected.

Info Disclosure through Arbitrary Table Injection in TYPO3 Search IndexerCVE-2026-46723 Published on May 19, 2026

Weakness Type

Exposure of Resource to Wrong Sphere

Affected Versions

Info Disclosure through Arbitrary Table Injection in TYPO3 Search Indexer
CVE-2026-46723 Published on May 19, 2026