HIGH

GHSA-jr8m-x4p7-p3v5

TYPO3 Remote Code Execution in extension "Site Crawler" (crawler)

Details

The TYPO3 Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's `unserialize()`. An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution on the TYPO3 server. Exploitation requires administrative privileges to configure a crawler-enabled page and trigger the crawl via a Scheduler task. This has been patched in versions 12.0.11 and 11.0.13.

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / tomasnorre/crawler

Introduced in: 12.0.0 Fixed in: 12.0.11

Fix composer require tomasnorre/crawler:^12.0.11

Packagist / tomasnorre/crawler

Introduced in: 0 Fixed in: 11.0.13

Fix composer require tomasnorre/crawler:^11.0.13

References

https://nvd.nist.gov/vuln/detail/CVE-2026-8727 [ADVISORY]
https://github.com/FriendsOfPHP/security-advisories/blob/master/tomasnorre/crawler/CVE-2026-8727.yaml [WEB]
https://github.com/tomasnorre/crawler [PACKAGE]
https://typo3.org/security/advisory/typo3-ext-sa-2026-008 [WEB]