XXE in Typo3 Extension "Faceted Search"

CVE-2026-46722

The OOXML parsing of the file indexer does not disable external entity resolution. A crafted xlsx or pptx document placed in an indexed directory can cause local files to be read or outbound HTTP requests to be performed, with the retrieve…

Vulnerability class: XXE (XML External Entity)

EPSS: 0.001 (17.1th percentile) — read the EPSS interpretation.

Affected products

Typo3 Extension "Faceted Search" — versions 6.0.0, 7.0.0, 5.0.0

Weakness classification (CWE)

CWE-611 — Improper Restriction of XML External Entity Reference (XXE)

References

f4fb688c-4412-4426-b4b8-421ecf27b14a (vendor-advisory)