Description
The file indexer does not normalize the configured directory path. A backend user with permission to edit indexer configurations can index documents from arbitrary locations on the server file system through path traversal sequences.
Published: 2026-05-19
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the TYPO3 extension “Faceted Search” (ke_search). When a backend user edits indexer configurations, the extension fails to normalize directory paths, allowing the user to include path traversal characters. This omission lets the attacker reference and index files from arbitrary locations on the server, effectively granting read access to sensitive files. The weakness is consistent with CWE‑22, which denotes path traversal deficiencies that can compromise confidentiality and integrity of system resources.

Affected Systems

The affected product is the TYPO3 extension "Faceted Search" (ke_search). No specific affected versions are listed by the CNA, so all released copies of the extension could be vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 5.9 places this flaw in the medium severity range, and the EPSS score is not reported, so the probability of exploitation in the wild cannot be quantified. It is not present in the CISA KEV catalog. The likely attack vector requires a legitimate backend session with permission to edit indexer configurations; attackers without such access would need to compromise a user account first. Once the attacker obtains the necessary permissions, they can read any file path that the web server process can access, potentially exposing sensitive configuration files or credentials.

Generated by OpenCVE AI on May 19, 2026 at 11:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest security update for the “Faceted Search” extension as soon as it is released.
  • Limit backend user privileges by granting edit access to the indexer configuration only to trusted administrators.
  • Configure the server’s file system permissions and the extension’s allowed directories to prevent the indexer from accessing sensitive paths.

Generated by OpenCVE AI on May 19, 2026 at 11:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Typo3
Typo3 extension "faceted Search"
Vendors & Products Typo3
Typo3 extension "faceted Search"

Tue, 19 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description The file indexer does not normalize the configured directory path. A backend user with permission to edit indexer configurations can index documents from arbitrary locations on the server file system through path traversal sequences.
Title Path Traversal in extension "Faceted Search" (ke_search)
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

Typo3 Extension "faceted Search"
cve-icon MITRE

Status: PUBLISHED

Assigner: TYPO3

Published:

Updated: 2026-05-19T13:30:48.475Z

Reserved: 2026-05-16T09:55:27.478Z

Link: CVE-2026-46724

cve-icon Vulnrichment

Updated: 2026-05-19T13:30:45.761Z

cve-icon NVD

Status : Deferred

Published: 2026-05-19T10:16:25.320

Modified: 2026-05-19T14:47:13.200

Link: CVE-2026-46724

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:39:34Z

Weaknesses