Login Sign Up

CVE-2021-44618

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This CVE describes a Server-side Template Injection (SSTI) vulnerability in Nystudio107 Seomatic plugin for Craft CMS. Attackers can exploit this by manipulating the Host header to inject malicious template code, potentially leading to remote code execution. All systems running vulnerable versions of the Seomatic plugin are affected.

💻 Affected Systems

Products:
  • Nystudio107 Seomatic plugin for Craft CMS
Versions: Versions before 3.4.12
Operating Systems: All operating systems running Craft CMS
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all Craft CMS installations using vulnerable Seomatic plugin versions. The vulnerability is in the URL helper component.

📦 What is this software?

Seomatic by Nystudio107

View all CVEs affecting Seomatic →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Remote code execution allowing attackers to execute arbitrary commands on the server, potentially leading to data exfiltration or further system compromise.

🟢

If Mitigated

Limited impact with proper input validation and security controls, potentially only causing denial of service or information disclosure.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only HTTP request manipulation. The vulnerability is in a widely used plugin, making it attractive for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.4.12 and later

Vendor Advisory: https://github.com/nystudio107/craft-seomatic/releases/tag/3.4.12

Restart Required: No

Instructions:

1. Update Seomatic plugin to version 3.4.12 or later via Craft CMS admin panel or Composer. 2. Verify the update was successful by checking the plugin version. 3. Clear any caches if necessary.

🔧 Temporary Workarounds

Host Header Validation

all

Implement web application firewall rules or middleware to validate and sanitize Host headers

Input Sanitization

all

Add custom validation for all user-controlled inputs in template rendering

🧯 If You Can't Patch

  • Implement strict input validation for Host headers at the web server or application level
  • Deploy web application firewall with SSTI protection rules

🔍 How to Verify

Check if Vulnerable:

Check Seomatic plugin version in Craft CMS admin panel or via Composer: composer show nystudio107/craft-seomatic

Check Version:

composer show nystudio107/craft-seomatic | grep versions

Verify Fix Applied:

Verify Seomatic plugin version is 3.4.12 or higher and check the commit hash matches the fix

📡 Detection & Monitoring

Log Indicators:

  • Unusual Host header values in web server logs
  • Multiple failed template rendering attempts
  • Suspicious PHP/system commands in logs

Network Indicators:

  • HTTP requests with manipulated Host headers containing template syntax
  • Unusual outbound connections from web server

SIEM Query:

source="web_server_logs" AND (Host:*{{* OR Host:*}}* OR Host:*$*{*)

📊 Metadata

CVE ID: CVE-2021-44618
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-94
Published: March 11, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-44618, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)