CVE Catalog

CVE-2026-47348

MediumCVSS 5.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.04%

14th percentile - higher than 14% of all known CVEs

Summary

Editors with access to create or modify page content were able to include HTML markup in page titles that were stored in the search index without sanitization. As a result, these titles were displayed in frontend search results without proper output encoding, leading to a Cross-Site Scripting vulnerability.

Risk Assessment

This vulnerability could allow attackers to inject malicious JavaScript code, potentially leading to user data theft or session hijacking. Organizations should be aware of the security risks associated with user data.

Recommendation

It is recommended to update TYPO3 CMS to the latest version to mitigate this vulnerability. Additionally, implementing proper sanitization and output encoding mechanisms in the application is advisable.

Original NVD description (English source)

Editors with access to create or modify page content were able to include HTML markup in page titles that were stored in the search index without sanitization. When displayed in frontend search results via the Indexed Search plugin, these titles were rendered without proper output encoding, resulting in a Cross-Site Scripting vulnerability. This issue affects TYPO3 CMS versions 13.0.0-13.4.30 and 14.0.0-14.3.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS