CVE-2026-8727
Deferred Deferred - Pending Action
Remote Code Execution in TYPO3 Crawler Extension

Publication date: 2026-05-19

Last updated on: 2026-05-19

Assigner: TYPO3

Description
The Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize(). An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution on the TYPO3 server. Exploitation requires administrative privileges to configure a crawler-enabled page and trigger the crawl via a Scheduler task.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-19
Last Modified
2026-05-19
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2026-8727
EUVD
EUVD-2026-30854
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
typo3 site_crawler From 11.0.12 (inc) to 12.0.11 (exc)
typo3 site_crawler to 12.0.10 (inc)
typo3 site_crawler 12.0.11
typo3 site_crawler 11.0.13
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the Site Crawler extension for TYPO3, where the extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize() function.

An attacker who controls a crawled endpoint can inject arbitrary serialized PHP objects through this header, which leads to Remote Code Execution (RCE) on the TYPO3 server.

Exploitation requires administrative privileges to configure a crawler-enabled page and trigger the crawl via a Scheduler task.

Impact Analysis

This vulnerability can allow an attacker with administrative privileges to execute arbitrary code on the TYPO3 server remotely.

Such Remote Code Execution can lead to full compromise of the server, including unauthorized access to data, modification or deletion of content, and potential further attacks within the network.

Even non-super-admin administrators could exploit this vulnerability to escalate their privileges.

Detection Guidance

Detection of this vulnerability involves monitoring for the presence and use of the vulnerable Site Crawler extension versions (12.0.0 to 12.0.10 and 11.0.12 and below) on TYPO3 installations.

Since exploitation requires administrative privileges to configure a crawler-enabled page and trigger a crawl via a Scheduler task, checking for suspicious Scheduler tasks or crawler configurations may help detect potential exploitation attempts.

Additionally, monitoring HTTP responses for the presence of the X-T3Crawler-Meta response header could indicate crawler activity that might be exploited.

Specific commands are not provided in the available resources.

Mitigation Strategies

The immediate mitigation step is to update the Site Crawler extension to a fixed version: 12.0.11 or 11.0.13 or later.

Restrict administrative privileges to trusted users only, as exploitation requires administrative access to configure crawler-enabled pages and trigger Scheduler tasks.

Review and disable any unnecessary crawler-enabled pages or Scheduler tasks that could be abused.

Compliance Impact

This vulnerability allows remote code execution on the TYPO3 server by exploiting insecure deserialization in the Site Crawler extension. Such unauthorized code execution can lead to unauthorized access, data breaches, or manipulation of sensitive information.

Consequently, this can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

Organizations using affected versions of the extension should update immediately to mitigate risks that could lead to non-compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8727. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart