TYPO3 CMS - Cross-Site Scripting in Indexed Search
CVE-2026-47348

5.1MEDIUM

Key Information:

Vendor: Typo3
Status: Typo3 Cms
Vendor: CVE Published:; 9 June 2026

What is CVE-2026-47348?

Editors with access to create or modify page content were able to include HTML markup in page titles that were stored in the search index without sanitization. When displayed in frontend search results via the Indexed Search plugin, these titles were rendered without proper output encoding, resulting in a Cross-Site Scripting vulnerability. This issue affects TYPO3 CMS versions 13.0.0-13.4.30 and 14.0.0-14.3.2.

Affected Version(s)

TYPO3 CMS 13.0.0 < 13.4.31

TYPO3 CMS 14.0.0 < 14.3.3

References

https://typo3.org/security/advisory/typo3-core-sa-2026-010

vendor-advisory

https://github.com/TYPO3/typo3/commit/2e96dd0e9fab7ad877b...

patch

https://github.com/TYPO3/typo3/commit/8004b91a5951cfe01dd...

patch

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 9, 2026
Vulnerability Reserved
May 19, 2026

Credit

Jan Kahmen

Sanjay Singh Jhala

Oliver Hader

CVE-2026-47348 Data

JSON