CVE-2026-47348
published 2026-06-09CVE-2026-47348: Editors with access to create or modify page content were able to include HTML markup in page titles that were stored in the search index without sanitization…
PriorityP428medium5.1CVSS 4.0
AVNACLATNPRLUIPVCLVILVANSCNSILSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.27%
18.4th percentile
Editors with access to create or modify page content were able to include HTML markup in page titles that were stored in the search index without sanitization. When displayed in frontend search results via the Indexed Search plugin, these titles were rendered without proper output encoding, resulting in a Cross-Site Scripting vulnerability. This issue affects TYPO3 CMS versions 13.0.0-13.4.30 and 14.0.0-14.3.2.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| typo3 | cms-core | >= 13.0.0 < 13.4.31 | 13.4.31 |
| typo3 | cms-core | >= 14.0.0 < 14.3.3 | 14.3.3 |
| typo3 | cms-indexed-search | >= 13.0.0 < 13.4.31 | 13.4.31 |
| typo3 | cms-indexed-search | >= 14.0.0 < 14.3.3 | 14.3.3 |
| typo3 | typo3_cms | >= 13.0.0 < 13.4.31 | 13.4.31 |
| typo3 | typo3_cms | >= 14.0.0 < 14.3.3 | 14.3.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-09
Published