Strapi is vulnerable to Remote Code Execution. A remote attacker can exploit a Server-Side Template Injection that modifies email templates, which allows an attacker to craft a payload through the modified template that executes arbitrary code on the server.