{"id":"CVE-2026-46723","summary":"Information Disclosure in extension \"Faceted Search\" (ke_search)","details":"The additional_tables configuration of the page and tt_content indexers accepts arbitrary table and field names. A backend user with permission to edit indexer configurations can copy sensitive data from internal TYPO3 tables into the search index.","aliases":["GHSA-67j3-jmm3-32xc"],"modified":"2026-07-08T08:13:38.086511808Z","published":"2026-05-19T09:23:32.228Z","database_specific":{"cwe_ids":["CWE-668"],"cna_assigner":"TYPO3","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46723.json"},"references":[{"type":"WEB","url":"https://packagist.org/"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46723.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46723"},{"type":"ADVISORY","url":"https://typo3.org/security/advisory/typo3-ext-sa-2026-011"},{"type":"PACKAGE","url":"https://github.com/tpwd/ke_search"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tpwd/ke_search","events":[{"introduced":"2160a374155dcb9e3ca4c94eef019aff37ae9bb5"},{"fixed":"2cd3d49d044c58205fc1aa2a7ac13d4417fb1507"},{"introduced":"2e1882cebbf36c0caa3bae963b8b235424f520d3"},{"fixed":"ffd5006a34a71444446dafcb61a7d2a688ad0941"},{"introduced":"0"},{"fixed":"3491b7b0393c64b392fd178983c1769c44bef05d"}],"database_specific":{"extracted_events":[{"introduced":"7.0.0"},{"fixed":"7.0.1"},{"introduced":"6.0.0"},{"fixed":"6.6.1"},{"introduced":"0"},{"fixed":"5.6.2"}],"source":"AFFECTED_FIELD"}}],"versions":["v6.6.0","v5.6.1","v7.0.0","v6.5.0","v6.4.1","v6.4.0","v6.3.0","v6.2.0","v6.1.3","v6.1.2","v5.6.0","v6.1.1","v6.1.0","v5.5.3","v5.5.2","v6.0.1","v6.0.0","v5.5.1","v5.5.0","v5.4.1","v5.4.0","v5.3.0","v5.2.1","v5.2.0","v5.1.3","v5.1.2","v5.1.1","v5.1.0","v5.0.4","v5.0.3","v5.0.2","v5.0.1","v5.0.0","v4.6.3","v4.6.2","v4.6.1","v4.6.0","v4.5.1","v4.5.0","v4.4.5","v4.4.4","v4.4.3","v4.4.2","v4.4.1","v4.4.0","v4.3.1","v4.3.0","v4.2.0","v4.1.0","v4.0.1","v4.0.0","v3.9.0","v3.8.1","v3.8.0","v3.7.2","v3.7.1","v3.7.0","v3.6.1","v3.6.0","v3.5.0","v3.4.2","v3.4.1","v3.4.0","v3.3.1","v3.3.0","v3.2.0","v3.1.6","v3.1.5","v3.1.4","v3.1.3","v3.1.2","v3.1.1","v3.1.0","v3.0.6","v3.0.5","v3.0.4","v3.0.3","v3.0.2","v3.0.1","v3.0.0","v2.8.0","v2.7.0","v2.6.3","v2.6.2","v2.6.1","v2.6.0","v2.2.1","v2.5.0","v2.4.1","v2.4.0","v2.2.0","v2.1.0","v2.0.4","v2.0.3","v2.0.2","v2.0.1","v2.0.0","v1.99.7","v1.99.5","v1.99.4","1.99.4","1.99.3","1.99.2","1.99.1","v1.99.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46723.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N"}]}