RCE via unserialize in TYPO3 Crawler Ext from X-T3Crawler-Meta header
CVE-2026-8727 Published on May 19, 2026

Remote Code Execution in extension "Site Crawler" (crawler)
The Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize(). An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution on the TYPO3 server. Exploitation requires administrative privileges to configure a crawler-enabled page and trigger the crawl via a Scheduler task.

Vendor Advisory NVD

Weakness Type

What is a Marshaling, Unmarshaling Vulnerability?

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

CVE-2026-8727 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.

Affected Versions

TYPO3 Extension "Site Crawler":

Version 12.0.0 and below 12.0.11 is affected.
Before 11.0.13 is affected.

Exploit Probability

EPSS

0.53%

Percentile

67.53%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

RCE via unserialize in TYPO3 Crawler Ext from X-T3Crawler-Meta headerCVE-2026-8727 Published on May 19, 2026

Weakness Type

What is a Marshaling, Unmarshaling Vulnerability?

Affected Versions

Exploit Probability

RCE via unserialize in TYPO3 Crawler Ext from X-T3Crawler-Meta header
CVE-2026-8727 Published on May 19, 2026