Home

Description

Editors with access to create or modify page content were able to include HTML markup in page titles that were stored in the search index without sanitization. When displayed in frontend search results via the Indexed Search plugin, these titles were rendered without proper output encoding, resulting in a Cross-Site Scripting vulnerability. This issue affects TYPO3 CMS versions 13.0.0-13.4.30 and 14.0.0-14.3.2.

PUBLISHED Reserved 2026-05-19 | Published 2026-06-09 | Updated 2026-06-09 | Assigner TYPO3




MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:L/SA:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status
unaffected

13.0.0 (semver) before 13.4.31
affected

14.0.0 (semver) before 14.3.3
affected

Credits

Jan Kahmen reporter

Sanjay Singh Jhala reporter

Oliver Hader remediation developer

References

typo3.org/security/advisory/typo3-core-sa-2026-010 vendor-advisory

github.com/...ommit/2e96dd0e9fab7ad877b741fb9f6fc645b4270a3e (Git commit of main branch) patch

github.com/...ommit/8004b91a5951cfe01dda8554f77d0daa82d6b899 (Git commit of 13.4 branch) patch

cve.org (CVE-2026-47348)

nvd.nist.gov (CVE-2026-47348)

Download JSON