PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-47348 TYPO3 CVE debrief

CVE-2026-47348 is a Cross-Site Scripting (XSS) vulnerability in TYPO3 CMS, a popular content management system. The vulnerability affects versions 13.0.0-13.4.30 and 14.0.0-14.3.2. Editors with access to create or modify page content could include HTML markup in page titles that were stored in the search index without sanitization. When displayed in frontend search results via the Indexed Search plugin, these titles were rendered without proper output encoding, resulting in an XSS vulnerability.

Vendor
TYPO3
Product
TYPO3 CMS
CVSS
MEDIUM 5.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-09
Original CVE updated
2026-06-09
Advisory published
2026-06-09
Advisory updated
2026-06-09

Who should care

Users of TYPO3 CMS versions 13.0.0-13.4.30 and 14.0.0-14.3.2, particularly those with editors who have access to create or modify page content, should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The vulnerability has a CVSS score of 5.1 and a severity rating of MEDIUM. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

MEDIUM

Recommended defensive actions

  • Update TYPO3 CMS to version 13.4.31 or later, or 14.3.3 or later.
  • Review and sanitize HTML markup in page titles stored in the search index.
  • Use a web application firewall (WAF) to detect and prevent XSS attacks.

Evidence notes

The CVE record was published on 2026-06-09T11:16:52.583Z and modified on 2026-06-09T13:46:50.540Z. The vulnerability was reported by an unknown vendor, but evidence suggests it is related to TYPO3.

Official resources

CVE-2026-47348 was published on 2026-06-09T11:16:52.583Z and modified on 2026-06-09T13:46:50.540Z.