CVE-2026-47348
MediumCVSS 5.1Exploitation Probability (EPSS)
Low risk14th percentile - higher than 14% of all known CVEs
Summary
Editors with access to create or modify page content were able to include HTML markup in page titles that were stored in the search index without sanitization. As a result, these titles were displayed in frontend search results without proper output encoding, leading to a Cross-Site Scripting vulnerability.
Risk Assessment
This vulnerability could allow attackers to inject malicious JavaScript code, potentially leading to user data theft or session hijacking. Organizations should be aware of the security risks associated with user data.
Recommendation
It is recommended to update TYPO3 CMS to the latest version to mitigate this vulnerability. Additionally, implementing proper sanitization and output encoding mechanisms in the application is advisable.
Original NVD description (English source)
Editors with access to create or modify page content were able to include HTML markup in page titles that were stored in the search index without sanitization. When displayed in frontend search results via the Indexed Search plugin, these titles were rendered without proper output encoding, resulting in a Cross-Site Scripting vulnerability. This issue affects TYPO3 CMS versions 13.0.0-13.4.30 and 14.0.0-14.3.2.

