Stored XSS in TYPO3 CMS via Indexed Search Plugin

Executive Summary

This vulnerability is a Cross-Site Scripting (XSS) issue in TYPO3 CMS where editors who can create or modify page content were able to include HTML markup in page titles. These titles were stored in the search index without proper sanitization. When displayed in frontend search results via the Indexed Search plugin, the titles were rendered without proper output encoding, allowing malicious scripts to be executed in users' browsers.

The root cause was the lack of encoding of user-submitted content before rendering it in the HTML output. The fix involved applying proper encoding (using htmlspecialchars) to the page titles before displaying them, preventing script injection.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers to execute malicious scripts in the browsers of users who view the affected search results. This can lead to theft of sensitive information such as cookies or session tokens, unauthorized actions performed on behalf of users, or the spread of malware.

Since the vulnerability requires an editor-level user to inject malicious HTML into page titles, the risk is higher in environments where multiple users have content editing privileges.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate the CVE-2026-47348 vulnerability, you should update your TYPO3 CMS installation to a fixed version. The vulnerability affects TYPO3 versions 13.0.0 to 13.4.30 and 14.0.0 to 14.3.2, and has been fixed in versions 13.4.31 LTS and 14.3.3 LTS.

Additionally, follow the TYPO3 Security Guide recommendations and subscribe to the typo3-announce mailing list to stay informed about security updates.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows Cross-Site Scripting (XSS) attacks through unsanitized HTML markup in page titles displayed in frontend search results. Such XSS vulnerabilities can lead to unauthorized access to user data, session hijacking, or manipulation of displayed content.

From a compliance perspective, XSS vulnerabilities can impact adherence to standards and regulations like GDPR and HIPAA because they may lead to unauthorized disclosure or compromise of personal or sensitive information. Organizations using affected TYPO3 CMS versions could face risks related to data protection and privacy obligations if attackers exploit this vulnerability.

Therefore, addressing this vulnerability by applying the provided security updates is important to maintain compliance with such regulations and to protect user data from potential cross-site scripting attacks.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the TYPO3 CMS versions in use are within the affected ranges (13.0.0 to 13.4.30 and 14.0.0 to 14.3.2) and by testing whether HTML markup in page titles is rendered unsanitized in frontend search results.

One practical approach is to attempt injecting HTML or script tags into page titles via the editor interface and then searching for those pages using the Indexed Search plugin to see if the injected code executes or appears as raw HTML.

For command-line detection, you can check the installed TYPO3 version with commands like:

• php typo3/sysext/core/bin/typo3 --version

Additionally, you can search the database for page titles containing HTML tags using SQL commands such as:

• SELECT uid, title FROM pages WHERE title LIKE '%<%';

This query helps identify page titles that include HTML markup, which could be exploited by this vulnerability.

Finally, reviewing the frontend search results for these pages to confirm if the HTML is rendered unsanitized can confirm the presence of the vulnerability.

Useful 0 Not Useful 0