CVE-2026-8727 PUBLISHED

Remote Code Execution in extension "Site Crawler" (crawler)

Assigner: TYPO3
Reserved: 16.05.2026 Published: 19.05.2026 Updated: 19.05.2026

The Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize(). An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution on the TYPO3 server. Exploitation requires administrative privileges to configure a crawler-enabled page and trigger the crawl via a Scheduler task.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
CVSS Score: 7.1

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	Low
Attack Complexity	High	Integrity	High	Integrity	Low
Attack Requirements	Present	Availability	High	Availability	Low
Privileges Required	High
User Interaction	Active

CVSS 4.0

Product Status

Vendor	TYPO3
Product	Extension "Site Crawler"
Versions	Default: unaffected affected from 12.0.0 to 12.0.11 (excl.) affected from 0 to 11.0.13 (excl.)

Credits

Roman Hergenreder reporter
Tomas Norre Mikkelsen remediation developer

References

https://typo3.org/security/advisory/typo3-ext-sa-2026-008

Problem Types

CWE-502 Deserialization of Untrusted Data CWE