CVE-2026-47348
TYPO3 CMS has Cross-Site Scripting in Indexed Search
描述
### Problem Editors with access to create or modify page content were able to include HTML markup in page titles that were stored in the search index without sanitization. When displayed in frontend search results via the Indexed Search plugin, these titles were rendered without proper output encoding, resulting in a Cross-Site Scripting vulnerability. ### Solution Update to TYPO3 versions 13.4.31 LTS, 14.3.3 LTS that fix the problem described. ### Credits TYPO3 CMS thanks Jan Kahmen and Sanjay Singh Jhala for reporting this issue, and to TYPO3 core & security team member Oliver Hader for fixing it. ### Resources * [TYPO3-CORE-SA-2026-010](https://typo3.org/security/advisory/typo3-core-sa-2026-010)
如何修補 CVE-2026-47348
要修補 CVE-2026-47348,請將受影響套件升級到下列已修補版本。
- —升級至 13.4.31 或更新版本
- —升級至 13.4.31 或更新版本
CVE-2026-47348 正在被利用嗎?
目前沒有被利用訊號。CVE-2026-47348 既不在 CISA KEV 也沒有最新的 EPSS 分數。
受影響套件(2)
- >= 13.0.0, < 13.4.31
- >= 13.0.0, < 13.4.31
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:L/SA:N |