Medium severityNVD Advisory· Published Jun 9, 2026· Updated Jun 9, 2026

CVE-2026-47348

Description

Editors with access to create or modify page content were able to include HTML markup in page titles that were stored in the search index without sanitization. When displayed in frontend search results via the Indexed Search plugin, these titles were rendered without proper output encoding, resulting in a Cross-Site Scripting vulnerability. This issue affects TYPO3 CMS versions 13.0.0-13.4.30 and 14.0.0-14.3.2.

Affected products

TYPO3/Typo3references
TYPO3/TYPO3 CMSllm-fuzzy
Range: 13.0.0-13.4.30, 14.0.0-14.3.2

Patches

2e96dd0e9fab

[SECURITY] Encode indexed search results in frontend rendering

https://github.com/TYPO3/typo3Oliver HaderJun 9, 2026via github-commit-search

commit

1 file changed · +2 −1

typo3/sysext/indexed_search/Classes/Controller/SearchController.php+2 −1 modified

@@ -399,14 +399,15 @@ protected function compileSingleResultRow(array $searchData, array $row, int $he
         }
         $title = $resultData['item_title'] . ($resultData['titleaddition'] ?? '');
         $title = GeneralUtility::fixed_lgd_cs($title, (int)$this->settings['results.']['titleCropAfter'], $this->settings['results.']['titleCropSignifier']);
+        $title = htmlspecialchars($title);
         // If external media, link to the media-file instead.
         if ($row['item_type']) {
             if ($row['show_resume']) {
                 $targetAttribute = '';
                 if ($typoScriptConfigArray['fileTarget'] ?? false) {
                     $targetAttribute = ' target="' . htmlspecialchars($typoScriptConfigArray['fileTarget']) . '"';
                 }
-                $title = '<a href="' . htmlspecialchars($row['data_filename']) . '"' . $targetAttribute . '>' . htmlspecialchars($title) . '</a>';
+                $title = '<a href="' . htmlspecialchars($row['data_filename']) . '"' . $targetAttribute . '>' . $title . '</a>';
             } else {
                 // Suspicious, so linking to page instead...
                 $copiedRow = $row;

8004b91a5951

[SECURITY] Encode indexed search results in frontend rendering

https://github.com/TYPO3/typo3Oliver HaderJun 9, 2026via nvd-ref

commit

1 file changed · +2 −1

typo3/sysext/indexed_search/Classes/Controller/SearchController.php+2 −1 modified

@@ -391,14 +391,15 @@ protected function compileSingleResultRow(array $searchData, array $row, int $he
         }
         $title = $resultData['item_title'] . ($resultData['titleaddition'] ?? '');
         $title = GeneralUtility::fixed_lgd_cs($title, (int)$this->settings['results.']['titleCropAfter'], $this->settings['results.']['titleCropSignifier']);
+        $title = htmlspecialchars($title);
         // If external media, link to the media-file instead.
         if ($row['item_type']) {
             if ($row['show_resume']) {
                 $targetAttribute = '';
                 if ($typoScriptConfigArray['fileTarget'] ?? false) {
                     $targetAttribute = ' target="' . htmlspecialchars($typoScriptConfigArray['fileTarget']) . '"';
                 }
-                $title = '<a href="' . htmlspecialchars($row['data_filename']) . '"' . $targetAttribute . '>' . htmlspecialchars($title) . '</a>';
+                $title = '<a href="' . htmlspecialchars($row['data_filename']) . '"' . $targetAttribute . '>' . $title . '</a>';
             } else {
                 // Suspicious, so linking to page instead...
                 $copiedRow = $row;

Vulnerability mechanics

Root cause

"HTML markup in page titles was not properly sanitized before being stored in the search index and rendered in frontend search results."

Attack vector

Editors with content creation privileges could insert HTML markup into page titles. This markup was then stored in the search index without sanitization. When these titles are displayed in frontend search results via the Indexed Search plugin, the unencoded HTML is rendered by the browser, leading to Cross-Site Scripting [ref_id=1].

Affected code

The vulnerability exists in the `compileSingleResultRow` method within the `typo3/sysext/indexed_search/Classes/Controller` file. The affected code paths are where the `$title` variable is processed and rendered in frontend search results [ref_id=1].

What the fix does

The patch introduces HTML encoding for the title when it is compiled for a single search result row [ref_id=1]. Specifically, `htmlspecialchars($title)` is called before the title is used in the output string. This prevents any injected HTML markup from being interpreted by the browser, thus mitigating the Cross-Site Scripting vulnerability.

Preconditions

authThe attacker must have editor privileges with the ability to create or modify page content.
inputThe attacker must be able to insert HTML markup into page titles.

Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

TYPO3 CMS: Thirteen Backend Vulnerabilities Disclosed on June 9, 2026
Vypr Intelligence · Jun 9, 2026

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000