Deserialization in Typo3 Extension "Site Crawler"

CVE-2026-8727

The Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize(). An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution o…

Vulnerability class: Insecure Deserialization

EPSS: 0.005 (67.5th percentile) — read the EPSS interpretation.