CVE-2026-8727
Remote Code Execution in extension "Site Crawler" (crawler)
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
The Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize(). An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution on the TYPO3 server. Exploitation requires administrative privileges to configure a crawler-enabled page and trigger the crawl via a Scheduler task.
| CWE | CWE-502 |
| Vendor | typo3 |
| Product | extension "site crawler" |
| Published | May 19, 2026 |
| Last Updated | May 19, 2026 |
Stay Ahead of the Next One
Get instant alerts for typo3 extension "site crawler"
Be the first to know when new unknown vulnerabilities affecting typo3 extension "site crawler" are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
TYPO3 / Extension "Site Crawler"
12.0.0 < 12.0.11 0 < 11.0.13
References
Credits
๐ Roman Hergenreder Tomas Norre Mikkelsen