CVE-2026-46722 XML External Entity Injection in extension "Faceted Search" (ke_search)

🗓️ 19 May 2026 09:23:02Reported by TYPO3Type

CVE-2026-46722 enables XML External Entity Injection in Faceted Search via Office Open XML parsing, enabling local reads or remote fetches.

Reporter	Title	Published	Views	Family All 10
ATTACKERKB	CVE-2026-46722	19 May 202609:23	–	attackerkb
CNNVD	TYPO3 Extension Faceted Search 代码问题漏洞	19 May 202600:00	–	cnnvd
CVE	CVE-2026-46722	19 May 202609:23	–	cve
EUVD	EUVD-2026-30859	19 May 202609:23	–	euvd
Friends Of PHP	TYPO3-EXT-SA-2026-011: XML External Entity Injection in extension "Faceted Search" (ke_search)	18 May 202614:30	–	friendsofphp
NVD	CVE-2026-46722	19 May 202610:16	–	nvd
Positive Technologies	PT-2026-41862	19 May 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-46722	3 Jun 202616:02	–	redhatcve
Snyk	XML External Entity (XXE) Injection	24 May 202620:48	–	snyk
Vulnrichment	CVE-2026-46722 XML External Entity Injection in extension "Faceted Search" (ke_search)	19 May 202609:23	–	vulnrichment

[
  {
    "vendor": "TYPO3",
    "product": "Extension \"Faceted Search\"",
    "collectionURL": "https://packagist.org/",
    "packageName": "tpwd/ke_search",
    "repo": "https://github.com/tpwd/ke_search",
    "versions": [
      {
        "status": "affected",
        "version": "7.0.0",
        "lessThan": "7.0.1",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "6.0.0",
        "lessThan": "6.6.1",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "5.0.0",
        "lessThan": "5.6.2",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "0",
        "lessThan": "4.6.7",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
typo3	www.typo3.org/security/advisory/typo3-ext-sa-2026-011

03 Jun 2026 10:54Current

CVSS 45.9

EPSS0.00054

CWE-611