Which versions of TYPO3 Crawler are affected by CVE-2026-8727?

The TYPO3 Crawler extension contains a remote code execution vulnerability (CVE-2026-8727, CVSS 7.1) with no public exploit identified at time of analysis.. A patch is available.

How to fix or mitigate CVE-2026-8727?

No vendor-released patch identified at time of analysis. Within 24 hours: Audit all TYPO3 instances to identify those with the Crawler extension enabled and document Scheduler tasks configured to crawl external URLs. Within 7 days: Disable the Crawler extension on instances where it is not actively required; if required, implement compensating controls and restrict configuration access to senior administrators only. Within 30 days: Establish communication with TYPO3 vendor for patch availability timeline; evaluate alternative crawling solutions or TYPO3 upgrade paths; continuously monitor for security updates.

TYPO3 Crawler CVE-2026-8727

Q: What is the CVSS score of CVE-2026-8727?

CVE-2026-8727 has a CVSS 4.0 base score of 7.1 (High). CVSS vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.4%.

EUVD-2026-30854 HIGH

Deserialization of Untrusted Data (CWE-502)

2026-05-19 TYPO3

GHSA-jr8m-x4p7-p3v5

PHP RCE Deserialization

7.1

CVSS 4.0

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

Scope

Lifecycle Timeline

Patch available

May 19, 2026 - 11:16 EUVD

Analysis Generated

May 19, 2026 - 10:45 vuln.today

CVSS changed

May 19, 2026 - 10:22 NVD

7.1 (HIGH)

DescriptionNVD

The Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize(). An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution on the TYPO3 server. Exploitation requires administrative privileges to configure a crawler-enabled page and trigger the crawl via a Scheduler task.

AnalysisAI

Remote code execution in the TYPO3 Crawler extension occurs when the X-T3Crawler-Meta response header from a crawled URL is passed unchecked to PHP's unserialize(), enabling arbitrary PHP object injection. Exploitation requires a high-privileged administrator to configure a crawler-enabled page and a Scheduler task pointing at an attacker-controlled endpoint, so while impact is full RCE on the TYPO3 host, it is gated by an unusual combination of admin access, user interaction, and externally reachable malicious URLs. …

RemediationAI

No vendor-released patch identified at time of analysis. Within 24 hours: Audit all TYPO3 instances to identify those with the Crawler extension enabled and document Scheduler tasks configured to crawl external URLs. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-8727 vulnerability details – vuln.today

Back

TYPO3 Crawler CVE-2026-8727

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

TYPO3 Crawler CVE-2026-8727

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code