From af3095def0175222193d3dc3ef80c9ed82e3e229 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Elias=20H=C3=A4u=C3=9Fler?= <elias@haeussler.dev>
Date: Wed, 20 May 2026 08:24:30 +0200
Subject: [PATCH] Improve GHSA-fq39-62gx-8hqx

---
 .../GHSA-fq39-62gx-8hqx.json                  | 69 ++++++++++++++++++-
 1 file changed, 66 insertions(+), 3 deletions(-)

diff --git a/advisories/unreviewed/2026/05/GHSA-fq39-62gx-8hqx/GHSA-fq39-62gx-8hqx.json b/advisories/unreviewed/2026/05/GHSA-fq39-62gx-8hqx/GHSA-fq39-62gx-8hqx.json
index f6ff0c33f9d20..f5dd2f03148a7 100644
--- a/advisories/unreviewed/2026/05/GHSA-fq39-62gx-8hqx/GHSA-fq39-62gx-8hqx.json
+++ b/advisories/unreviewed/2026/05/GHSA-fq39-62gx-8hqx/GHSA-fq39-62gx-8hqx.json
@@ -1,24 +1,87 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-fq39-62gx-8hqx",
-  "modified": "2026-05-19T12:31:39Z",
+  "modified": "2026-05-19T12:31:40Z",
   "published": "2026-05-19T12:31:39Z",
   "aliases": [
     "CVE-2026-46722"
   ],
+  "summary": "TYPO3 extension \"ke_search\" affected by XML External Entity injection",
   "details": "The OOXML parsing of the file indexer does not disable external entity resolution. A crafted xlsx or pptx document placed in an indexed directory can cause local files to be read or outbound HTTP requests to be performed, with the retrieved content being written to the search index.",
   "severity": [
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "tpwd/ke_search"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "7.0.0"
+            },
+            {
+              "fixed": "7.0.1"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "tpwd/ke_search"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "6.0.0"
+            },
+            {
+              "fixed": "6.6.1"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "tpwd/ke_search"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "5.6.2"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46722"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/tpwd/ke_search"
+    },
     {
       "type": "WEB",
       "url": "https://typo3.org/security/advisory/typo3-ext-sa-2026-011"