Home

Description

The Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize(). An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution on the TYPO3 server. Exploitation requires administrative privileges to configure a crawler-enabled page and trigger the crawl via a Scheduler task.

PUBLISHED Reserved 2026-05-16 | Published 2026-05-19 | Updated 2026-05-19 | Assigner TYPO3




HIGH: 7.1CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Problem types

CWE-502 Deserialization of Untrusted Data

Product status

Default status
unaffected

12.0.0 (semver) before 12.0.11
affected

Any version before 11.0.13
affected

Credits

Roman Hergenreder reporter

Tomas Norre Mikkelsen remediation developer

References

typo3.org/security/advisory/typo3-ext-sa-2026-008 vendor-advisory

cve.org (CVE-2026-8727)

nvd.nist.gov (CVE-2026-8727)

Download JSON