Description
Editors with access to create or modify page content were able to include HTML markup in page titles that were stored in the search index without sanitization. When displayed in frontend search results via the Indexed Search plugin, these titles were rendered without proper output encoding, resulting in a Cross-Site Scripting vulnerability. This issue affects TYPO3 CMS versions 13.0.0-13.4.30 and 14.0.0-14.3.2.
Published: 2026-06-09
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Editors with the ability to create or modify page content can insert arbitrary HTML into page titles. The CMS stores those titles in the search index without sanitization. When the indexed titles are rendered in search result pages, the embedded markup is output unencoded, allowing attackers to inject malicious scripts that execute in the browsers of site visitors. This vulnerability is a classic stored cross‑site scripting flaw (CWE‑79) and can compromise user confidentiality, integrity, and trust in the site.

Affected Systems

The affected software is TYPO3 CMS. Version 13.0.0 through 13.4.30 and 14.0.0 through 14.3.2 are vulnerable. No other vendors or products are noted as impacted.

Risk and Exploitability

The CVSS score of 5.1 indicates the flaw is moderately severe, while the EPSS score is not available. The vulnerability is not currently listed in CISA's KEV catalog. Based on the description, it is inferred that the attack vector is web‑based, requiring an editor session to inject malicious markup into page titles. Once stored, the unsanitized titles are rendered on frontend search result pages, allowing arbitrary JavaScript execution for any visitor of those pages.

Generated by OpenCVE AI on June 9, 2026 at 12:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch referenced in the TYPO3 Core Security Advisory typo3-core-sa-2026-010 to update the CMS to a version that sanitizes page titles before indexing
  • If the upgrade cannot be applied immediately, disable the Indexed Search plugin or remove its usage from frontend pages
  • Ensure that any search result templates perform proper output encoding or sanitization of page titles as a temporary workaround

Generated by OpenCVE AI on June 9, 2026 at 12:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Editors with access to create or modify page content were able to include HTML markup in page titles that were stored in the search index without sanitization. When displayed in frontend search results via the Indexed Search plugin, these titles were rendered without proper output encoding, resulting in a Cross-Site Scripting vulnerability. This issue affects TYPO3 CMS versions 13.0.0-13.4.30 and 14.0.0-14.3.2.
Title TYPO3 CMS - Cross-Site Scripting in Indexed Search
First Time appeared Typo3
Typo3 typo3
Weaknesses CWE-79
CPEs cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*
Vendors & Products Typo3
Typo3 typo3
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

Typo3 Typo3
cve-icon MITRE

Status: PUBLISHED

Assigner: TYPO3

Published:

Updated: 2026-06-09T14:27:49.563Z

Reserved: 2026-05-19T12:49:25.966Z

Link: CVE-2026-47348

cve-icon Vulnrichment

Updated: 2026-06-09T14:27:40.979Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T11:16:52.583

Modified: 2026-06-09T13:46:50.540

Link: CVE-2026-47348

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:15:06Z

Weaknesses