CVE-2020-9757
Description
SEOmatic prior to 3.3.0 for Craft CMS allows SSTI via malformed data to the metacontainers controller, leading to RCE.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SEOmatic prior to 3.3.0 for Craft CMS allows SSTI via malformed data to the metacontainers controller, leading to RCE.
Vulnerability
Overview
The SEOmatic plugin for Craft CMS versions before 3.3.0 is vulnerable to Server-Side Template Injection (SSTI) in its metacontainers controller. This issue arises from insufficient sanitization of user-supplied data, allowing an attacker to inject malicious Twig templates that are executed on the server [1][2]. The vulnerability can be triggered by sending malformed data to the metacontainers endpoint.
Exploitation
An attacker with network access to the Craft CMS instance can exploit this vulnerability by crafting a request with specially designed template syntax. While the exact prerequisites are not detailed in the official description, proof-of-concept code exists demonstrating how to achieve code execution [2]. Successful exploitation does not require prior authentication if the vulnerable endpoint is exposed.
Impact
Successful exploitation of the SSTI vulnerability allows an attacker to execute arbitrary code on the underlying server. This can lead to full compromise of the Craft CMS application, including data theft, modification, and potential lateral movement within the network [1][2].
Mitigation
The vulnerability is patched in SEOmatic version 3.3.0. Users are strongly advised to update to this version or later. The fix was introduced in commit a1c2cad7e126132d2442ec8ec8e9ab43df02cc0f and documented in the changelog [3][4]. No workarounds are currently available.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nystudio107/craft-seomaticPackagist | < 3.3.0 | 3.3.0 |
Affected products
2- Craft CMS/SEOmaticdescription
Patches
265ab659cb6c9Version 3.3.0
1 file changed · +3 −0
CHANGELOG.md+3 −0 modified@@ -18,6 +18,9 @@ * No longer delete caches in response to `TemplateCaches::EVENT_AFTER_DELETE_CACHES` * Fixed an issue where SEO previews could have the wrong URLs for multi-site setups +### Security +* Fixed a regression where malformed data passed to the metacontainers controller could result in SSTI which leads to information disclosure + ## 3.2.51 - 2020.04.06 ### Added * Updated to [Schema.org 7.0.3](https://schema.org/version/7.03/schema-all.html) including [SpecialAnnouncement](https://webmasters.googleblog.com/2020/04/highlight-covid-19-announcements-search.html) and other types/changes to handle the COVID-19 crisis
a1c2cad7e126Version 3.2.46
1 file changed · +1 −1
CHANGELOG.md+1 −1 modified@@ -5,7 +5,7 @@ * Fixed some dates to dateCreated as categories doesn't have postDate ### Security -* Fixed an issue where malformed data passed to the metacontainers controller could result in XSS +* Fixed an issue where malformed data passed to the metacontainers controller could result in SSTI which leads to information disclosure ## 3.2.45 - 2020.02.28 ### Added
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-6q4j-8pjm-5mgcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-9757ghsaADVISORY
- github.com/giany/CVE/blob/master/CVE-2020-9757.txtghsax_refsource_MISCWEB
- github.com/nystudio107/craft-seomatic/blob/v3/CHANGELOG.mdghsax_refsource_MISCWEB
- github.com/nystudio107/craft-seomatic/commit/65ab659cb6c914c7ad671af1e417c0da2431f79bghsax_refsource_CONFIRMWEB
- github.com/nystudio107/craft-seomatic/commit/a1c2cad7e126132d2442ec8ec8e9ab43df02cc0fghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.