CVE-2026-8727

Vulnerability

The Crawler extension (composer package tomasnorre/crawler) passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize() function. This allows an attacker who controls a crawled endpoint to inject arbitrary serialized PHP objects, leading to Remote Code Execution. Affected versions include 12.0.0 through 12.0.10, and 11.0.12 and below [1].

Exploitation

Exploitation requires administrative privileges to configure a crawler-enabled page and trigger the crawl via a Scheduler task. The attacker must control a URL that the crawler will visit, and that URL must return a crafted X-T3Crawler-Meta header containing a malicious serialized PHP object. The vulnerability can be abused by non-super-admin administrators to escalate privileges [1].

Impact

Successful exploitation results in Remote Code Execution on the TYPO3 server, potentially compromising the confidentiality, integrity, and availability of the system. The attacker gains the privilege level of the web server process [1].

Mitigation

Updated versions 12.0.11 and 11.0.13 are available from the TYPO3 extension manager, Packagist, and direct download. Users of the extension are advised to update immediately. No workaround is described in the advisory [1].