CVE-2026-8727— Remote Code Execution in extension "Site Crawler" (crawler)
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 2
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| TYPO3 | Extension "Site Crawler" | 12.0.0< 12.0.11 | affected |
< 11.0.13 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-8727
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Remote Code Execution in extension "Site Crawler" (crawler)
Source: NVD (National Vulnerability Database)
Vulnerability Description
The Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize(). An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution on the TYPO3 server. Exploitation requires administrative privileges to configure a crawler-enabled page and trigger the crawl via a Scheduler task.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
可信数据的反序列化
Source: NVD (National Vulnerability Database)
Vulnerability Title
TYPO3 Extension Site Crawler 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
TYPO3 Extension Site Crawler是TYPO3开源的一个TYPO3站点爬取与索引管理扩展。 TYPO3 Extension Site Crawler存在代码问题漏洞,该漏洞源于直接反序列化X-T3Crawler-Meta响应头,可能导致远程代码执行。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| TYPO3 | Extension "Site Crawler" | 12.0.0 ~ 12.0.11 | - |
II. Public POCs for CVE-2026-8727
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-8727
请登录查看更多情报信息。
- https://typo3.org/security/advisory/typo3-ext-sa-2026-008vendor-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-8727
Same Patch Batch · TYPO3 · 2026-05-19 · 8 CVEs total
| CVE-2026-46722 | XML External Entity Injection in extension "Faceted Search" (ke_search) | |
| CVE-2026-46725 | Remote Code Execution in extension "Content Element Selector" (ceselector) | |
| CVE-2026-46721 | Broken Access Control in extension "Frontend User Registration" (sf_register) | |
| CVE-2026-46723 | Information Disclosure in extension "Faceted Search" (ke_search) | |
| CVE-2026-46724 | Path Traversal in extension "Faceted Search" (ke_search) | |
| CVE-2026-8726 | SQL Injection in extension "News system" (news) | |
| CVE-2026-8827 | SQL Injection in extension "Address List" (tt_address) |
IV. Related Vulnerabilities
Same vendor: TYPO3
- CVE-2026-46725
Remote Code Execution in extension "Content Element Selector - CVE-2026-8827
SQL Injection in extension "Address List" (tt_address) - CVE-2026-46724
Path Traversal in extension "Faceted Search" (ke_search) - CVE-2026-46723
Information Disclosure in extension "Faceted Search" (ke_sea - CVE-2026-46722
XML External Entity Injection in extension "Faceted Search"
V. Comments for CVE-2026-8727
No comments yet