CVE-2026-8727

Name of the Vulnerable Software and Affected Versions TYPO3 Crawler extension (affected versions not specified)

Description The Crawler extension is subject to Remote Code Execution via PHP Object Injection. This occurs because the extension passes the "X-T3Crawler-Meta" response header from crawled URLs directly to the PHP unserialize() function. An attacker who controls a crawled endpoint can inject arbitrary serialized PHP objects to execute code on the server. Exploitation requires administrative privileges to configure a crawler-enabled page and trigger the crawl through a Scheduler task.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.