CVE-2026-46722 TYPO3 CVE debrief

Who should care

TYPO3 CMS administrators, security teams managing document indexing pipelines, and organizations using file indexers that process OOXML documents

Technical summary

The vulnerability exists in the OOXML parsing component of a file indexer, which fails to disable external entity resolution when processing Microsoft Office Open XML format documents (.xlsx, .pptx). An attacker with privileged access can place a malicious document in an indexed directory. When the indexer processes the document, the embedded external entity references resolve, causing the application to read local files or make outbound HTTP requests. The retrieved content is then written to the search index, potentially exposing sensitive information or facilitating server-side request forgery (SSRF) attacks. The CVSS 4.0 score of 5.9 (Medium) reflects the privileged access requirement and high confidentiality impact, though integrity and availability impacts are not affected.

Defensive priority

medium

Recommended defensive actions

• Review file indexer configurations to disable external entity resolution in XML parsers
• Restrict upload of .xlsx and .pptx files to trusted administrative users only
• Monitor search index content for unexpected external data
• Apply TYPO3 security advisory typo3-ext-sa-2026-011 when available
• Implement network egress controls on indexing services to prevent unauthorized outbound HTTP requests

Evidence notes

Vendor attribution to TYPO3 is based on reference domain candidate evidence with low confidence and requires review. The NVD entry shows vulnStatus 'Deferred'.

Official resources