Remote Code Execution Vulnerability in TYPO3 Crawler Extension
CVE-2026-8727

7.1HIGH

Key Information:

Vendor: Typo3
Status: Extension "site Crawler"
Vendor: CVE Published:; 19 May 2026

What is CVE-2026-8727?

The TYPO3 Crawler Extension is vulnerable due to the direct handling of the X-T3Crawler-Meta response header with PHP's unserialize() function. This flaw allows an attacker to inject maliciously crafted serialized PHP objects from a controlled endpoint, potentially leading to Remote Code Execution on the TYPO3 server. Exploitation necessitates that the attacker has administrative access to configure a crawler-enabled page and initiate the crawling process through Scheduler tasks.

Affected Version(s)

Extension "Site Crawler" 12.0.0 < 12.0.11

Extension "Site Crawler" 0 < 11.0.13

References

https://typo3.org/security/advisory/typo3-ext-sa-2026-008

vendor-advisory

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2026
Vulnerability Reserved
May 16, 2026

Credit

Roman Hergenreder

Tomas Norre Mikkelsen

CVE-2026-8727 Data

JSON

Typo3

What is CVE-2026-8727?

Affected Version(s)

References

CVSS V4

Timeline

Credit