CVE-2026-46722

Vulnerability

The ke_search extension for TYPO3 fails to disable external entity resolution when parsing OOXML files (.xlsx, .pptx) in its file indexer. This XML External Entity (XXE) vulnerability affects versions 7.0.0, 6.0.0 through 6.6.0, and 5.6.1 and below [1]. The file indexer processes documents placed in configured indexed directories without proper sanitization of XML external entities.

Exploitation

An attacker with the ability to place a crafted OOXML document into a directory that is indexed by ke_search can trigger the vulnerability. No authentication or special privileges are required beyond write access to an indexed location. The file indexer parses the malicious document, and the XXE payload causes the parser to read local files or perform outbound HTTP requests, with the retrieved content being stored in the search index [1].

Impact

Successful exploitation allows an attacker to read arbitrary files from the server's filesystem (e.g., configuration files, credentials) or perform Server-Side Request Forgery (SSRF) to internal network resources. The exfiltrated data is written to the search index, from which it can be retrieved by querying the search functionality, leading to information disclosure [1].

Mitigation

The vulnerability is fixed in versions 7.0.1, 6.6.1, and 5.6.2 of the ke_search extension [1]. Users should update to the latest available version for their branch. No workarounds are documented; the extension is not part of the default TYPO3 installation, so administrators should ensure it is updated promptly.