VYPR
Critical severityNVD Advisory· Published Apr 19, 2023· Updated Nov 7, 2025

CVE-2023-22621

CVE-2023-22621

Description

Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. A remote attacker with access to the Strapi admin panel can inject a crafted payload that executes code on the server into an email template that bypasses the validation checks that should prevent code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@strapi/plugin-users-permissionsnpm
< 4.5.64.5.6
@strapi/plugin-emailnpm
< 4.5.64.5.6

Affected products

3

Patches

Vulnerability mechanics

References

10

News mentions

0

No linked articles in our index yet.