Description
The additional_tables configuration of the page and tt_content indexers accepts arbitrary table and field names. A backend user with permission to edit indexer configurations can copy sensitive data from internal TYPO3 tables into the search index.
Published: 2026-05-19
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Faceted Search extension’s page and tt_content indexers allow the additional_tables configuration to specify any table and field names. A backend user who can edit indexer settings can use this feature to copy sensitive data from internal TYPO3 tables into the search index, exposing data that should remain confidential. This flaw is a clear information‑disclosure vulnerability corresponding to CWE‑668.

Affected Systems

All installations of the TYPO3 extension "Faceted Search" where the additional_tables option is enabled are vulnerable. The impact is only reachable by users who have backend permissions to edit indexer configurations – typically editors or administrators. Users without such rights are unaffected, but the presence of the misconfigured option can still be exploited if credentials are compromised.

Risk and Exploitability

With a CVSS score of 5.9 the vulnerability is classified as medium severity. The EPSS score is not available, and the flaw is not listed in CISA’s KEV catalog, suggesting a lower public exploitation likelihood at present. However, the attack vector requires legitimate backend access, which is a realistic risk in environments with permissive editing rights. If an attacker gains such access, the disclosed data could reveal business secrets, personal information, or other confidential content, potentially violating privacy regulations and compromising business operations.

Generated by OpenCVE AI on May 19, 2026 at 11:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable or remove the additional_tables configuration in the Faceted Search extension to eliminate the ability to reference arbitrary tables
  • Revoke backend edit permissions for indexer configuration from users who do not require them, applying the principle of least privilege
  • Apply any available security updates or patches for the Faceted Search extension from TYPO3 once released

Generated by OpenCVE AI on May 19, 2026 at 11:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Typo3
Typo3 extension "faceted Search"
Vendors & Products Typo3
Typo3 extension "faceted Search"

Tue, 19 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description The additional_tables configuration of the page and tt_content indexers accepts arbitrary table and field names. A backend user with permission to edit indexer configurations can copy sensitive data from internal TYPO3 tables into the search index.
Title Information Disclosure in extension "Faceted Search" (ke_search)
Weaknesses CWE-668
References
Metrics cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

Typo3 Extension "faceted Search"
cve-icon MITRE

Status: PUBLISHED

Assigner: TYPO3

Published:

Updated: 2026-05-19T13:30:30.411Z

Reserved: 2026-05-16T09:55:27.478Z

Link: CVE-2026-46723

cve-icon Vulnrichment

Updated: 2026-05-19T13:30:27.264Z

cve-icon NVD

Status : Deferred

Published: 2026-05-19T10:16:25.187

Modified: 2026-05-19T14:47:13.200

Link: CVE-2026-46723

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:39:35Z

Weaknesses