CVE-2026-46722
TYPO3 ke_search XML External Entity Injection
Description
In TYPO3 faceted fulltext search (`ke_search`), the OOXML parsing of the file indexer does not disable external entity resolution. A crafted xlsx or pptx document placed in an indexed directory can cause local files to be read or outbound HTTP requests to be performed, with the retrieved content being written to the search index. This has been patched in versions 7.0.1, 6.6.1, 5.6.2 and 4.6.7.
How to fix CVE-2026-46722
To remediate CVE-2026-46722, upgrade the affected package to a fixed version below.
- Packagist/tpwd/ke_search—upgrade to 7.0.1 or later
Is CVE-2026-46722 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-46722.
Affected packages (1)
- >= 7.0.0, < 7.0.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N |