GHSA-jr8m-x4p7-p3v5High

TYPO3 Remote Code Execution in extension "Site Crawler" (crawler)

Published
May 19, 2026
Last Modified
June 29, 2026

🔗 CVE IDs covered (1)

📋 Description

The TYPO3 Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize(). An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution on the TYPO3 server. Exploitation requires administrative privileges to configure a crawler-enabled page and trigger the crawl via a Scheduler task. This has been patched in versions 12.0.11 and 11.0.13.

🎯 Affected products2

  • composer/tomasnorre/crawler:>= 12.0.0, < 12.0.11
  • composer/tomasnorre/crawler:< 11.0.13

🔗 References (4)