PatchSiren cyber security CVE debrief
CVE-2026-46723 TYPO3 CVE debrief
CVE-2026-46723 is a medium-severity information disclosure vulnerability in TYPO3's indexed search extension. The `additional_tables` configuration parameter in the page and tt_content indexers fails to validate table and field names, allowing a backend user with indexer configuration permissions to exfiltrate sensitive data from internal TYPO3 tables into the search index. Published on 2026-05-19, this issue carries a CVSS 4.0 score of 5.9 (MEDIUM) with a vector indicating network attack vector, low attack complexity, privileged attacker requirements, and high confidentiality impact on the vulnerable component. The vulnerability is classified under CWE-668 (Exposure of Resource to Wrong Sphere). TYPO3 has issued security advisory TYPO3-EXT-SA-2026-011 addressing this flaw.
- Vendor
- TYPO3
- Product
- Extension "Faceted Search"
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-19
Who should care
TYPO3 administrators, security teams managing TYPO3 CMS deployments, and organizations relying on indexed search functionality with multi-user backend environments
Technical summary
The TYPO3 indexed search extension's `additional_tables` configuration accepts arbitrary table and field names without validation. A backend user possessing indexer configuration edit permissions can leverage this weakness to copy sensitive data from internal TYPO3 system tables into the publicly accessible search index, resulting in unauthorized information disclosure. The vulnerability requires high privileges (backend administrative access) but poses significant confidentiality risk to the affected system component.
Defensive priority
medium
Recommended defensive actions
- Review and restrict backend user permissions for indexer configuration access
- Apply TYPO3 security advisory TYPO3-EXT-SA-2026-011 patches when available
- Audit existing indexer configurations for unauthorized table references
- Monitor search index contents for unexpected sensitive data inclusion
- Implement principle of least privilege for TYPO3 backend administrative roles
Evidence notes
Vulnerability description and CVSS vector sourced from NVD record. Vendor identification derived from reference domain analysis pointing to TYPO3. Advisory reference confirms TYPO3 as affected vendor. No KEV listing present.
Official resources
-
CVE-2026-46723 CVE record
CVE.org
-
CVE-2026-46723 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
f4fb688c-4412-4426-b4b8-421ecf27b14a
2026-05-19