An XML External Entity (XXE) vulnerability exists in the OOXML parsing component of the Faceted Search extension. The parser fails to disable external entity resolution, so an attacker can embed malicious entity references in a crafted xlsx or pptx file. When the extension indexes such a document, the entity resolution can cause local files to be read or outbound HTTP requests to be performed. The retrieved data is then written into the search index, potentially leaking sensitive information.

The vulnerability applies to the TYPO3 extension "Faceted Search". No specific version information is provided in the advisory, and the scope covers any installation where the extension is enabled and users can place OOXML documents in directories that are subject to indexing.

The CVSS score of 5.9 indicates moderate severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, which suggests no confirmed exploits are in circulation. The likely attack vector involves an attacker who can upload or place a malicious OOXML document into an indexed directory or who can otherwise influence the contents that the extension processes. If successful, the attacker can read arbitrary local files or trigger external HTTP requests, leading to information disclosure through the search index. Since no official patch or workaround is currently provided by the vendor according to the advisory, the risk remains present until an update is applied or mitigated by configuration changes.