Skip to main navigation Skip to main content Skip to page footer
Wolfgang Wagner - TYPO3 Seminare, Workshops, Tutorials, Support
TYPO3-Security: 6 new advisories for News, KE Search and Co.

TYPO3-Security: 6 new advisories for News, KE Search and Co.

Have the article read aloud.

Loading the Elevenlabs Text to Speech AudioNative Player...
| Estimated reading time : min.
This article was automatically translated using DeepL. Therefore, inaccuracies may occur.

Security updates for News, KE Search, tt_address and three other extensions. A brief classification of what is critical and what belongs in the next maintenance run.

On May 19, 2026, the TYPO3 Security Team published six new Extension Security Advisories. Three of them concern extensions that are very common in TYPO3 projects: News (georgringer/news), KE Search (tpwd/ke_search) and tt_address (friendsoftypo3/tt-address). The other three are about Site Crawler, Frontend User Registration and a Content Element Selector. Here is a brief classification of what is really important and what the specific risk is.

News system (EXT-SA-2026-010), High

There is an SQL injection in the news system. The "Date Menu of news articles" plugin is vulnerable if the disableOverrideDemand plugin setting is not set. Using a URL parameter, any SQL can be injected from the frontend without a login. If you are using News with the Date-Menu-Plugin, you should install the update as soon as possible. Those who do not use the plugin are not directly vulnerable, but should update anyway.

Fix in versions 14.0.3, 13.0.2, 12.3.2 and 11.4.4.

KE Search (EXT-SA-2026-011), Medium

Faceted Search comes with three vulnerabilities: XML External Entity, Path Traversal and Information Disclosure. Prepared xlsx or pptx files in indexed directories can be used to read local files or trigger outgoing HTTP requests. The content ends up in the search index. In addition, a backend user with rights to the indexer configurations can copy internal TYPO3 tables or any files on the server into the search index.

Exploitation therefore requires backend access to the indexer configuration. Nevertheless, you should not wait too long with the update, especially if several editors or admins have access to the indexer settings.

Fix in versions 7.0.1, 6.6.1 and 5.6.2.

tt_address (EXT-SA-2026-012), Medium

User input is not properly masked in the AddressRepository::getSqlQuery() method. Result: SQL injection. Important to know: The method is not called anywhere within tt_address itself. There is therefore no direct risk in a standard installation. You are only vulnerable if your own or a third-party extension uses this method with unchecked input.

The update should be installed anyway. An argument such as "We don't call the method ourselves" is too thin as soon as a third-party developer had something else in mind in a site package or a project extension.

Fix in versions 10.0.1, 9.1.1 and 8.1.2.

The three other extensions at a glance

  • Site Crawler (tomasnorre/crawler), High: Insecure deserialization in the response header X-T3Crawler-Meta. Leads to remote code execution, but can only be exploited if an admin sets up a crawl configuration and a suitable scheduler task. Risk especially in setups with multiple admins. Fix in 12.0.11 and 11.0.13.
  • Frontend User Registration / sf_register (evoweb/sf-register), Medium: Broken Access Control. When creating or editing frontend users, any FE groups can be assigned. Anyone using sf_register for frontend registrations should update promptly, as unauthorized access to protected VU areas is possible. Fix in 14.0.2 and 13.2.4.
  • Content Element Selector (mmc/ceselector), Critical: Insecure deserialization of a cookie leads to remote code execution, without login, directly from the public network. Prerequisite is the plugin configuration "Persistent Mode: Static". If you use this extension: update immediately. Fix in 6.0.1, 5.0.1, 4.0.2 and 3.0.3.

What you should do now as an integrator

A quick inventory is usually enough. A composer show or a look at the Extension Manager shows which of the packages mentioned are installed in which version. Then install updates, clear the caches and run the indexer once for KE Search.

The order of urgency:

  1. Content Element Selector (Critical, unauthenticated, accessible from the network)
  2. News with active date menu plugin (High, unauthenticated)
  3. Site Crawler (High, but admin requirement)
  4. KE Search, sf_register, tt_address (Medium, belong in the next maintenance run)

The full details including CVE references can be found directly in the original advisories:

Back

Do you have a question or want to discuss the topic?

In the Community Hub for TYPO3 you can exchange ideas with other TYPO3 users. And if you don't want to miss any new articles: The TYPO3 Newsletter comes once a month, without spam.

Wolfgang Wagner

Wolfgang Wagner

TYPO3 Trainer, Integrator und Berater TYPO3 Certified Integrator (TCCI)

Wolfgang Wagner – TYPO3 Seminare und Support · TYPO3 Education and Certification Committee · TCCI Task Force

Wolfgang Wagner arbeitet seit 2006 mit TYPO3 und ist unter wwagner.net als Trainer, Integrator und Berater aktiv. Schwerpunkt sind Schulungen, Online-Kurse und individuelle Beratung für Integratoren, Agenturen und Betreiber von TYPO3-Webseiten, die TYPO3 sauber, modern und wirtschaftlich einsetzen wollen. Er ist Mitglied im TYPO3 Education and Certification Committee und in der TCCI Task Force und gestaltet die offizielle TYPO3 Certified Integrator Prüfung aktiv mit.

✉ wwagner@wwagner.net 🌐 Website