CVE-2026-47348

UNKNOWN 0.0

TYPO3 CMS - Cross-Site Scripting in Indexed Search

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

14th

Editors with access to create or modify page content were able to include HTML markup in page titles that were stored in the search index without sanitization. When displayed in frontend search results via the Indexed Search plugin, these titles were rendered without proper output encoding, resulting in a Cross-Site Scripting vulnerability. This issue affects TYPO3 CMS versions 13.0.0-13.4.30 and 14.0.0-14.3.2.

CWE	CWE-79
Vendor	typo3
Product	typo3 cms
Published	Jun 9, 2026
Last Updated	Jun 9, 2026

Stay Ahead of the Next One

Get instant alerts for typo3 typo3 cms

Be the first to know when new unknown vulnerabilities affecting typo3 typo3 cms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

TYPO3 / TYPO3 CMS

13.0.0 < 13.4.31 14.0.0 < 14.3.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

typo3.org: https://typo3.org/security/advisory/typo3-core-sa-2026-010 github.com: https://github.com/TYPO3/typo3/commit/2e96dd0e9fab7ad877b741fb9f6fc645b4270a3e github.com: https://github.com/TYPO3/typo3/commit/8004b91a5951cfe01dda8554f77d0daa82d6b899

Credits

🔍 Jan Kahmen 🔍 Sanjay Singh Jhala Oliver Hader