Path Traversal in Typo3 Extension "Faceted Search"

CVE-2026-46724

The file indexer does not normalize the configured directory path. A backend user with permission to edit indexer configurations can index documents from arbitrary locations on the server file system through path traversal sequences.

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.001 (17.7th percentile) — read the EPSS interpretation.

Affected products

Typo3 Extension "Faceted Search" — versions 6.0.0, 7.0.0, 5.0.0

Weakness classification (CWE)

CWE-22 — Path Traversal

References

f4fb688c-4412-4426-b4b8-421ecf27b14a (vendor-advisory)