Home

Description

The OOXML parsing of the file indexer does not disable external entity resolution. A crafted xlsx or pptx document placed in an indexed directory can cause local files to be read or outbound HTTP requests to be performed, with the retrieved content being written to the search index.

PUBLISHED Reserved 2026-05-16 | Published 2026-05-19 | Updated 2026-05-19 | Assigner TYPO3




MEDIUM: 5.9CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N

Problem types

CWE-611 Improper Restriction of XML External Entity Reference

Product status

Default status
unaffected

7.0.0 (semver) before 7.0.1
affected

6.0.0 (semver) before 6.6.1
affected

Any version before 5.6.2
affected

Credits

Seungbin Yang reporter

Christian Bülter remediation developer

References

typo3.org/security/advisory/typo3-ext-sa-2026-011 vendor-advisory

cve.org (CVE-2026-46722)

nvd.nist.gov (CVE-2026-46722)

Download JSON