Description
The Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize(). An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution on the TYPO3 server. Exploitation requires administrative privileges to configure a crawler-enabled page and trigger the crawl via a Scheduler task.
Published: 2026-05-19
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Site Crawler extension in TYPO3 contains a flaw where it sends the X‑T3Crawler‑Meta header from external URLs directly into PHP's unserialize() function. Because unserialize() will instantiate any malicious PHP object passed into it, a attacker who can control a URL visited by the crawler can inject arbitrary serialized objects. The impact is that the attacker can execute arbitrary PHP code on the server, giving full control over the installation. The weakness is a deserialization vulnerability (CWE‑502).

Affected Systems

TYPO3 installations that have the Site Crawler extension installed. No specific version numbers are listed in the advisory, so all current releases of the Site Crawler extension should be considered affected.

Risk and Exploitability

The CVSS score is 7.1, indicating a high severity. The exploit requires a crawler‑enabled page to be configured, which in turn needs administrative privileges, and a Scheduler task must trigger the crawl. Because administrative access is required, the attack surface is limited to sites with such permissions, but once achieved it results in full remote code execution. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers will need to set up a malicious endpoint and seed a crawl to succeed.

Generated by OpenCVE AI on May 19, 2026 at 11:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable the Site Crawler extension until a vendor patch is released
  • Ensure no pages are configured for crawling and that scheduled crawl tasks are removed or blocked
  • Apply generic best‑practice mitigations for PHP unserialize usage, such as disabling or filtering unserialize(), and monitor for unexpected deserialization activity

Generated by OpenCVE AI on May 19, 2026 at 11:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Typo3
Typo3 extension "site Crawler"
Vendors & Products Typo3
Typo3 extension "site Crawler"

Tue, 19 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 19 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description The Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize(). An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution on the TYPO3 server. Exploitation requires administrative privileges to configure a crawler-enabled page and trigger the crawl via a Scheduler task.
Title Remote Code Execution in extension "Site Crawler" (crawler)
Weaknesses CWE-502
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L'}

Subscriptions

Typo3 Extension "site Crawler"
cve-icon MITRE

Status: PUBLISHED

Assigner: TYPO3

Published:

Updated: 2026-05-19T13:25:34.994Z

Reserved: 2026-05-16T09:55:33.916Z

Link: CVE-2026-8727

cve-icon Vulnrichment

Updated: 2026-05-19T13:25:31.426Z

cve-icon NVD

Status : Deferred

Published: 2026-05-19T10:16:25.747

Modified: 2026-05-19T14:47:13.200

Link: CVE-2026-8727

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:39:40Z

Weaknesses