MEDIUM

GHSA-67j3-jmm3-32xc

TYPO3 ke_search path traversal from arbitrary table configuration input

Details

In TYPO3 faceted fulltext search (`ke_search`), the`additional_tables` configuration of the page and `tt_content` indexers accept arbitrary table and field names. A backend user with permission to edit indexer configurations can copy sensitive data from internal TYPO3 tables into the search index. This has been patched in versions 7.0.1, 6.6.1, 5.6.2 and 4.6.7.

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / tpwd/ke_search

Introduced in: 7.0.0 Fixed in: 7.0.1

Fix composer require tpwd/ke_search:^7.0.1

Packagist / tpwd/ke_search

Introduced in: 6.0.0 Fixed in: 6.6.1

Fix composer require tpwd/ke_search:^6.6.1

Packagist / tpwd/ke_search

Introduced in: 5.0.0 Fixed in: 5.6.2

Fix composer require tpwd/ke_search:^5.6.2

Packagist / tpwd/ke_search

Introduced in: 0 Fixed in: 4.6.7

Fix composer require tpwd/ke_search:^4.6.7

References

https://nvd.nist.gov/vuln/detail/CVE-2026-46723 [ADVISORY]
https://github.com/FriendsOfPHP/security-advisories/blob/master/tpwd/ke_search/CVE-2026-46723.yaml [WEB]
https://github.com/tpwd/ke_search [PACKAGE]
https://typo3.org/security/advisory/typo3-ext-sa-2026-011 [WEB]