PatchSiren cyber security CVE debrief

CVE-2026-46724 TYPO3 CVE debrief

CVE-2026-46724 describes a path traversal weakness in a file indexer that fails to normalize its configured directory path. According to the NVD record, a backend user who already has permission to edit indexer configurations can use traversal sequences to point indexing at arbitrary locations on the server file system. The primary risk is unauthorized exposure of local files through the indexing workflow, rather than direct code execution. The CVE was published on 2026-05-19 and is rated medium severity (CVSS 5.9).

Vendor: TYPO3
Product: Extension "Faceted Search"
CVSS: MEDIUM 5.9
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-19
Original CVE updated: 2026-05-19
Advisory published: 2026-05-19
Advisory updated: 2026-05-19

Who should care

Administrators and operators who manage backend indexer settings, TYPO3-related deployments referenced by the advisory, and teams responsible for server-side content indexing, file access controls, and secret hygiene.

Technical summary

The NVD entry maps the issue to CWE-22 (improper limitation of a pathname to a restricted directory). The vulnerable behavior is failure to canonicalize or normalize the configured directory path before use. Because the attacker must already have backend privileges to edit indexer configurations, the issue is not a low-friction remote attack. However, once that privilege is available, traversal sequences may allow the indexer to read from unintended server paths and ingest files outside the expected content root.

Defensive priority

Medium. The precondition of backend configuration access raises the bar, but successful exploitation can expose arbitrary local files through indexing, which may include sensitive documents or configuration data.

Recommended defensive actions

Apply the vendor-fixed version or follow the referenced TYPO3 advisory guidance for the affected component.
Review all indexer configuration paths for traversal sequences or other non-canonical path forms.
Enforce canonicalization and allowlisting so indexers can only operate within approved directories.
Restrict who can edit indexer settings and apply least-privilege access controls to backend roles.
Limit the filesystem permissions of the indexing service account to only the content it should read.
Audit indexed content and access logs for unexpected source paths or unusual file ingestion.
If sensitive files may have been indexed, assess whether secrets or credentials need to be rotated or otherwise remediated.

Evidence notes

The debrief is based on the supplied NVD record for CVE-2026-46724, which references the TYPO3 advisory TYPO3-EXT-SA-2026-011 and classifies the weakness as CWE-22. The only confirmed impact in the supplied corpus is that a backend user with indexer configuration privileges can cause the file indexer to read documents from arbitrary filesystem locations via path traversal sequences.

Official resources

CVE-2026-46724 CVE record
CVE.org
CVE-2026-46724 NVD detail
NVD
Source item URL
nvd_modified
Source reference
f4fb688c-4412-4426-b4b8-421ecf27b14a

Publicly disclosed in the NVD record on 2026-05-19, with NVD referencing the TYPO3 security advisory TYPO3-EXT-SA-2026-011.