CVE-2021-41749
Description
Unauthenticated Server-Side Template Injection (SSTI) in the SEOmatic plugin up to 3.4.11 for Craft CMS 3 enables remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated Server-Side Template Injection (SSTI) in the SEOmatic plugin up to 3.4.11 for Craft CMS 3 enables remote code execution.
What the vulnerability is
The SEOmatic plugin for Craft CMS 3, in versions up to 3.4.11, contains a Server-Side Template Injection (SSTI) vulnerability. The root cause lies in insufficient sanitization of user-supplied input used to generate canonical URLs. [1]
How it's exploited
An unauthenticated attacker can send a crafted HTTP request that injects Twig template code into the canonical URL parameter. Because the plugin does not properly sanitize this input before rendering it in a Twig template, the injected code is evaluated server-side. No authentication or special privileges are required; the attacker only needs network access to a site running the vulnerable plugin. [1]
Impact
Successful exploitation allows the attacker to execute arbitrary Twig template code on the server. Since Twig has access to PHP objects in the context of a Craft CMS application, this can lead to full remote code execution (RCE). An attacker could then compromise the entire Craft site, exfiltrate data, modify content, or pivot to the underlying server.
Mitigation
The vulnerability was fixed in SEOmatic version 3.4.12. The patch moves the sanitization call to occur after the absolute URL is fully constructed, ensuring injected template code is neutralized before rendering. [4] Users should upgrade to at least version 3.4.12 or later. There is no mention of this CVE being listed in the Known Exploited Vulnerabilities (KEV) catalog as of the publication date, but given the low barrier to exploitation, immediate patching is recommended.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nystudio107/craft-seomaticPackagist | < 3.4.11 | 3.4.11 |
Affected products
2- Craft CMS/SEOmatic plugindescription
Patches
13fee7d50147cSanitize the canonical URL after the absolute URL has been returned, to mitigate poisoned `X-Forwarded-Host` headers
1 file changed · +1 −2
src/services/Helper.php+1 −2 modified@@ -148,9 +148,8 @@ public static function safeCanonicalUrl(): string } catch (InvalidConfigException $e) { Craft::error($e->getMessage(), __METHOD__); } - $url = DynamicMetaHelper::sanitizeUrl($url); - return UrlHelper::absoluteUrlWithProtocol($url); + return DynamicMetaHelper::sanitizeUrl(UrlHelper::absoluteUrlWithProtocol($url)); } /**
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-g7xr-v82w-qggqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-41749ghsaADVISORY
- github.com/nystudio107/craft-seomatic/blob/develop/CHANGELOG.mdghsax_refsource_MISCWEB
- github.com/nystudio107/craft-seomatic/commit/3fee7d50147cdf3f999cfc1e04cbc3fb3d9f2f7dghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.