HIGHCVE-2026-8727Published Modified CNA TYPO3
CVE-2026-8727: Remote Code Execution in extension "Site Crawler" (crawler)
The Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize(). An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution on the TYPO3 server. Exploitation requires administrative privileges to configure a crawler-enabled page and trigger the crawl via a Scheduler task.
Metrics
- CVSS v4.0
- 7.1
- Severity
- HIGH
- Fixed in
- 11.0.13
- Affected Products
- 1
Fix available
11.0.1312.0.11
Affected packages
- TYPO3 / Extension "Site Crawler"< 12.0.11 (from 12.0.0) · < 11.0.13 (from 0)
CVSS Vector
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:LReferences