CVE-2026-46724 | THREATINT

Description

The file indexer does not normalize the configured directory path. A backend user with permission to edit indexer configurations can index documents from arbitrary locations on the server file system through path traversal sequences.

PUBLISHED Reserved 2026-05-16 | Published 2026-05-19 | Updated 2026-05-19 | Assigner TYPO3

MEDIUM: 5.9CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status

unaffected

7.0.0 (semver) before 7.0.1

affected

6.0.0 (semver) before 6.6.1

affected

Any version before 5.6.2

affected

Credits

Seungbin Yang reporter

Christian Bülter remediation developer

References

typo3.org/security/advisory/typo3-ext-sa-2026-011 vendor-advisory

cve.org (CVE-2026-46724)

nvd.nist.gov (CVE-2026-46724)

Download JSON