TYPO3-EXT-SA-2026-008: Remote Code Execution in extension "Site Crawler" (crawler)
It has been discovered that the extension "Site Crawler" (crawler) is vulnerable to Remote Code Execution.
- Release Date: May 19, 2026
- Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
- Component: "Site Crawler" (crawler)
- Composer Package Name: tomasnorre/crawler
- Vulnerability Type: Insecure Deserialization
- Affected Versions: 12.0.0 - 12.0.10, 11.0.12 and below
- Severity: High
- Suggested CVSS v4.0: AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
- References: CVE-2026-8727, CWE-502
Problem Description
The Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize(). An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution on the TYPO3 server.
Exploitation requires administrative privileges to configure a crawler-enabled page and trigger the crawl via a Scheduler task, but can be abused by non-super-admin administrators to escalate privileges.
Solution
Updated versions 12.0.11 and 11.0.13 are available from the TYPO3 extension manager, packagist and at
https://extensions.typo3.org/extension/download/crawler/12.0.11/zip
https://extensions.typo3.org/extension/download/crawler/11.0.13/zip
Users of the extension are advised to update the extension as soon as possible.
Credits
Thanks to Roman Hergenreder for reporting the vulnerability and to Tomas Norre Mikkelsen for providing updated versions of the extension.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.