Advisories for Composer/Tomasnorre/Crawler package

2026

TYPO3 Remote Code Execution in extension "Site Crawler" (crawler)

The TYPO3 Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize(). An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution on the TYPO3 server. Exploitation requires administrative privileges to configure a crawler-enabled page and trigger the crawl via a Scheduler task. This has been patched in versions 12.0.11 and 11.0.13.