Cross-Site Scripting Vulnerability in TYPO3 CMS
CVE-2026-47348

5.1MEDIUM

Key Information:

Vendor

Typo3

Status
Vendor
CVE Published:
9 June 2026

What is CVE-2026-47348?

A vulnerability has been identified in TYPO3 CMS that allows editors with permissions to modify page content to introduce unsanitized HTML markup into page titles. This markup, which is then indexed, can lead to Cross-Site Scripting (XSS) when rendered in frontend search results via the Indexed Search plugin. Specifically, affected TYPO3 CMS versions include 13.0.0 through 13.4.30 and 14.0.0 through 14.3.2, highlighting a significant risk for websites using these versions without appropriate safeguards.

Affected Version(s)

TYPO3 CMS 13.0.0 < 13.4.31

TYPO3 CMS 14.0.0 < 14.3.3

References

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Jan Kahmen
Sanjay Singh Jhala
Oliver Hader
.