CVE-2026-46722 Overview
CVE-2026-46722 is an XML External Entity (XXE) vulnerability in the Office Open XML (OOXML) parsing component of a TYPO3 file indexer extension. The parser does not disable external entity resolution when processing OOXML documents. An attacker who can place a crafted xlsx or pptx file in an indexed directory can trigger local file disclosure or outbound HTTP requests during indexing. Retrieved content is written into the search index, where it may be exposed through search results.
Critical Impact
A crafted OOXML document placed in an indexed directory can cause the indexer to read arbitrary local files or issue attacker-controlled outbound HTTP requests, with the retrieved data persisted in the search index.
Affected Products
- TYPO3 file indexer extension processing OOXML documents (see TYPO3 Security Advisory)
- Microsoft Office Open XML formats: xlsx and pptx
- Deployments where untrusted users can place files into directories scanned by the indexer
Discovery Timeline
- 2026-05-19 - CVE-2026-46722 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-46722
Vulnerability Analysis
The weakness is classified as Improper Restriction of XML External Entity Reference [CWE-611]. OOXML files are ZIP archives containing XML parts that describe document content. When the file indexer parses these XML parts, it uses an XML parser configured to resolve external entities. An attacker crafts an OOXML document whose embedded XML declares a DOCTYPE with an external entity referencing a local file path or an HTTP URL. During indexing, the parser resolves the entity and substitutes the retrieved content into the parsed document. The indexer then writes that content into the search index, providing a persistent disclosure channel.
Root Cause
The OOXML parsing code does not disable external entity resolution on the underlying XML reader. Secure XML processing requires explicitly disabling DOCTYPE declarations and external entity loading on the parser instance. Without those settings, the parser honors SYSTEM and PUBLIC identifiers and dereferences them through the runtime's URL resolver.
Attack Vector
The attack requires the attacker to deposit a malicious xlsx or pptx file into a directory the indexer scans. This may occur through legitimate upload features, shared file storage, or any workflow that allows attacker-influenced content to enter indexed paths. Authentication with elevated privileges is required to reach indexed locations in typical deployments, which limits remote exploitation. Once the file is processed, indexed content reflecting the entity payload becomes retrievable through normal search queries.
No verified proof-of-concept code is published. Refer to the TYPO3 Security Advisory for vendor technical details.
Detection Methods for CVE-2026-46722
Indicators of Compromise
- OOXML documents (.xlsx, .pptx) in indexed directories containing <!DOCTYPE> declarations or SYSTEM external entity references inside their XML parts.
- Unexpected outbound HTTP requests originating from the indexer process to attacker-controlled hosts.
- Search index entries containing contents of local files such as /etc/passwd, configuration files, or other paths the indexer service account can read.
Detection Strategies
- Unpack OOXML files staged for indexing and scan their XML parts for <!DOCTYPE, <!ENTITY, or SYSTEM tokens before parsing.
- Monitor the indexer service for outbound network connections; the indexer should not initiate HTTP traffic during normal document processing.
- Audit search index contents for substrings matching sensitive local file paths or markers that indicate entity expansion succeeded.
Monitoring Recommendations
- Log all file uploads and writes into directories consumed by the indexer, including source user and file hash.
- Alert on DNS or HTTP egress from the indexer host to non-allowlisted destinations.
- Review web server access logs for search queries that retrieve unusual or sensitive strings shortly after new documents are indexed.
How to Mitigate CVE-2026-46722
Immediate Actions Required
- Apply the fix published in the TYPO3 Security Advisory for the affected file indexer extension.
- Restrict write access to indexed directories so only trusted accounts can deposit files.
- Inspect existing search index data for content sourced from XXE expansion and purge tainted entries.
Patch Information
Update the affected TYPO3 extension to the fixed version listed in advisory typo3-ext-sa-2026-011. Vendor guidance and version specifics are published at the TYPO3 Security Advisory.
Workarounds
- Block egress network traffic from the indexer host to prevent successful outbound HTTP entity resolution.
- Pre-scan OOXML uploads and reject any file whose internal XML parts contain DOCTYPE or external entity declarations.
- Run the indexer under a least-privilege service account that cannot read sensitive files such as credentials or private keys.
# Configuration example - inspect OOXML parts for XXE markers before indexing
for f in /var/indexed/*.xlsx /var/indexed/*.pptx; do
unzip -p "$f" | grep -E '<!DOCTYPE|<!ENTITY|SYSTEM' \
&& echo "BLOCK: $f contains external entity markers"
done
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
