CVE-2026-47216 - Vulnerability Details

- Typesense: Unauthenticated Denial of Service in the Typesense /multi_search Endpoint

Description

Typesense is a fast, typo-tolerant search engine. Prior to versions 29.1 and 30.2, there is an unauthenticated denial-of-service vulnerability in the /multi_search endpoint. A specially crafted request can trigger an unhandled exception during request processing, causing the server process to terminate. This issue can be exploited over the network without authentication and results in service unavailability. The duration of impact may vary depending on system configuration and dataset size. This issue has been patched in versions 29.1 and 30.2.

Published: 2026-06-12

Score: 8.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An unauthenticated endpoint in Typesense’s /multi_search can be triggered with a specially crafted request, causing an unhandled exception that terminates the server process. The result is a complete loss of service until it is restarted, which can disrupt search availability for applications relying on Typesense.

Affected Systems

The vulnerability affects all instances of Typesense, specifically versions older than 29.1 and 30.2. These release dates are documented as the point where the issue was patched.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity of this denial‑of‑service flaw. With an EPSS score of less than 1%, the likelihood of exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. Exploitation is possible from any network location that can reach the /multi_search endpoint without authentication, and the attack vector is inferred to be remote network access because the request can be sent over the network and does not require privileged access to the server.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

typesense

affected

Version	Status	Constraints
`< 29.1`	affected	—
`>= 30.0, < 30.2`	affected	—

No data.

Vendor Product Confidence Versions

Typesense

100%

Version	Status	Scheme	Platform
`[0,29.1)`	affected	generic	—
`[30.0,30.2)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Typesense to version 29.1 or 30.2 to apply the fix that handles the unhandled exception and prevents service crashes
If a patch cannot be applied immediately, restrict access to the /multi_search endpoint by firewall rules or IP whitelisting to limit exposure to trusted hosts
Monitor application logs and process state for signs of unexpected crashes or unhandled exceptions to detect any attempted exploitation

Generated by OpenCVE AI on June 12, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00102.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/typesense/typesense/security/advisories/GHSA-fpx5-8c99-247j

History

Fri, 12 Jun 2026 21:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 12 Jun 2026 20:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Typesense Typesense typesense
Vendors & Products		Typesense Typesense typesense

Fri, 12 Jun 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description		Typesense is a fast, typo-tolerant search engine. Prior to versions 29.1 and 30.2, there is an unauthenticated denial-of-service vulnerability in the /multi_search endpoint. A specially crafted request can trigger an unhandled exception during request processing, causing the server process to terminate. This issue can be exploited over the network without authentication and results in service unavailability. The duration of impact may vary depending on system configuration and dataset size. This issue has been patched in versions 29.1 and 30.2.
Title		Typesense: Unauthenticated Denial of Service in the Typesense /multi_search Endpoint
Weaknesses		CWE-754
References		https://github.com/typesense/typesense/security/advisories/GHSA-fpx5-8c99-247j
Metrics		cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

Typesense Typesense

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-12T17:12:55.465Z

Updated: 2026-06-12T20:19:10.651Z

Reserved: 2026-05-18T22:25:21.258Z

Link: CVE-2026-47216

Vulnrichment

Updated: 2026-06-12T20:19:04.856Z

NVD

Status : Received

Published: 2026-06-12T18:16:34.397

Modified: 2026-06-12T18:16:34.397

Link: CVE-2026-47216

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-12T20:19:30Z

Weaknesses

CWE-754
Improper Check for Unusual or Exceptional Conditions

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object