TYPO3 Core: Stored XSS in the Indexed Search System Extension
Editors with permission to create or modify page content can embed HTML and script markup in page titles, which the Indexed Search system extension shipped in the TYPO3 core renders unescaped into the search results of unauthenticated frontend visitors.
Advisory ID: TP-2026-011
Product: TYPO3 CMS (widely used open-source enterprise CMS; the affected component is the Indexed Search system extension shipped in the core, not a third-party addon)
Vulnerability type: Stored cross-site scripting (CWE-79)
CVE: CVE-2026-47348
CVSS 4.0: 5.1 (Medium) · CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:L/SA:N
Affected versions: 13.0.0 - 13.4.30, 14.0.0 - 14.3.2
Fixed in: 13.4.31 LTS, 14.3.3 LTS
Vendor advisory: TYPO3-CORE-SA-2026-010
Reported: 21 April 2026
Summary
TYPO3 CMS is a widely used open-source enterprise content management system. Indexed Search (ext:indexed_search) is a system extension shipped as part of the TYPO3 core (a sysext), not a third-party addon; it provides full-text search for frontend visitors and prints the title of each matched page in the result list. That page title is rendered through the f:format.raw ViewHelper, which disables the HTML output encoding Fluid applies by default. A backend editor with permission to create or modify page content can therefore store arbitrary HTML and script markup in a page title, which executes unchanged in a visitor's browser when the page appears in a search query. The result is persistent cross-site scripting, run by a privileged editor against unauthenticated frontend visitors. turingpoint verified the flow and reported it responsibly to the vendor.
Root cause
Indexed Search builds the result rows of the frontend search from the indexed page records and prints the page title field into the result template of EXT:indexed_search. The title is rendered through the f:format.raw ViewHelper, which deliberately disables the htmlspecialchars output encoding that Fluid applies by default. The page title comes from the page record's title field, which any backend user with write access to the page or its content can set to arbitrary text, including HTML and script markup. Because the value is encoded neither on storage nor on render, stored markup reaches the visitor's DOM verbatim as soon as the indexed page appears as a search result. The default Indexed Search frontend plugin exposes this path to unauthenticated visitors, so no authentication is required on the victim side and only a search that surfaces the poisoned page is needed.
Proof of Concept
Prerequisites are a backend account with permission to create or modify page content and an Indexed Search plugin embedded in the frontend:
# 1) As an editor, set the page title to script markup:
Page title: <img src=x onerror=alert(document.domain)>
# 2) Have the page picked up by the Indexed Search indexer
# (page view or crawler run)
# 3) As an unauthenticated visitor, search the frontend search form
# for a term that returns the prepared page as a hit.
# The result row prints the title via f:format.raw.
Because Indexed Search writes the page title into the result list through f:format.raw with no output encoding, the onerror handler runs in the browser of every visitor who opens the search results.
Impact
- Execution of arbitrary JavaScript in the browser of unauthenticated frontend visitors who run a search that surfaces the prepared page.
- Theft of session cookies and CSRF tokens, and actions on behalf of logged-in users who open the search results.
- Phishing and content manipulation within the trusted TYPO3 domain.
- Persistent effect: the markup stays stored in the indexed page title and fires again on every view of the search results.
References
Is Something Like This in Your Software?
Our team found this vulnerability in the course of its work. Have your applications tested by the same specialists, with a penetration test from turingpoint.