Skip to main navigation Skip to main content Skip to page footer
Become a Member

TYPO3-EXT-SA-2026-011: Multiple vulnerabilities in extension "Faceted Search" (ke_search)

Categories: Development Created by Torben Hansen

It has been discovered that the extension "Faceted Search" (ke_search) is vulnerable to XML External Entity injection, Path Traversal and Information Disclosure.

Problem Description

The OOXML parsing of the file indexer does not disable external entity resolution, making it susceptible to XML External Entity Injection. A crafted xlsx or pptx document placed in an indexed directory can cause local files to be read or outbound HTTP requests to be performed, with the retrieved content being written to the search index.

Additionally, the additional_tables configuration of the page and tt_content indexers accepts arbitrary table and field names, allowing a backend user with permission to edit indexer configurations to copy sensitive data from internal TYPO3 tables into the search index. Similarly, the file indexer does not normalize the configured directories path, allowing such a user to index documents from arbitrary locations on the server file system through path traversal sequences.

Solution

Updated versions 7.0.1, 6.6.1 and 5.6.2 are available from the TYPO3 extension manager, packagist and at

https://extensions.typo3.org/extension/download/ke_search/7.0.1/zip
https://extensions.typo3.org/extension/download/ke_search/6.6.1/zip
https://extensions.typo3.org/extension/download/ke_search/5.6.2/zip

Users of the extension are advised to update the extension as soon as possible.

Credits

Thanks to Seungbin Yang for reporting the vulnerabilities and to Christian Bülter for providing updated versions of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.