Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

CVE-2026-47348— TYPO3 CMS - Cross-Site Scripting in Indexed Search

AI Predicted 6.1 Difficulty: Easy EPSS 0.47% · P37

Possible ATT&CK Techniques 1AI

T1059.007 · JavaScript

Affected Version Matrix 2

VendorProductVersion RangeStatus
TYPO3TYPO3 CMS13.0.0< 13.4.31affected
14.0.0< 14.3.3affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-47348

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
TYPO3 CMS - Cross-Site Scripting in Indexed Search
Source: NVD (National Vulnerability Database)
Vulnerability Description
Editors with access to create or modify page content were able to include HTML markup in page titles that were stored in the search index without sanitization. When displayed in frontend search results via the Indexed Search plugin, these titles were rendered without proper output encoding, resulting in a Cross-Site Scripting vulnerability. This issue affects TYPO3 CMS versions 13.0.0-13.4.30 and 14.0.0-14.3.2.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
TYPO3 CMS 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
TYPO3 CMS是TYPO3开源的一个内容管理系统。 TYPO3 CMS 13.0.0至13.4.30版本和14.0.0至14.3.2版本存在跨站脚本漏洞,该漏洞源于页面标题中的HTML标记在存储到搜索索引时未进行清理,可能导致在前端搜索结果中渲染时产生跨站脚本攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
TYPO3TYPO3 CMS 13.0.0 ~ 13.4.31 -

II. Public POCs for CVE-2026-47348

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-47348

登录查看更多情报信息。

Patches & Fixes for CVE-2026-47348 (2)

Vendor Advisories for CVE-2026-47348 (1)

Same Patch Batch · TYPO3 · 2026-06-09 · 13 CVEs total

CVE-2026-47347TYPO3 CMS - Open Redirect in Core Utilities
CVE-2026-47349TYPO3 CMS - Broken Access Control in Recycler
CVE-2026-47350TYPO3 CMS - Broken Access Control in DataHandler
CVE-2026-47352TYPO3 CMS - Broken Access Control in Backend API
CVE-2026-47346TYPO3 CMS - Broken Access Control in Form Framework
CVE-2026-47351TYPO3 CMS - Broken Access Control in Clipboard
CVE-2026-47343TYPO3 CMS - Destructive Actions on File Mount Folders
CVE-2026-11607TYPO3 CMS - Broken Access Control in Form Framework
CVE-2026-49742TYPO3 CMS - Broken Access Control in Media Module
CVE-2026-49738TYPO3 CMS - Broken Access Control in File Abstraction Layer
CVE-2026-49740TYPO3 CMS - Insecure Deserialization in Core API
CVE-2026-49741TYPO3 CMS - Privilege Escalation & SQL Injection in Form Framework

IV. Related Vulnerabilities

Same product: TYPO3 CMS
Same vendor: TYPO3
Same weakness: CWE-79

V. Comments for CVE-2026-47348

No comments yet

Leave a comment