CVE-2026-8727

Description

The Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHPs unserialize(). An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution on the TYPO3 server. Exploitation requires administrative privileges to configure a crawler-enabled page and trigger the crawl via a Scheduler task.