CVE-2023-22621

HIGH EXPLOITED NUCLEI

Strapi < 4.5.6 - Authenticated Server-Side Template Injection via Email Template

Title source: llm

Exploitation Summary

CVE-2023-22621 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including sofianeelhor. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional Python-based exploit for CVE-2023-22621, which leverages Server-Side Template Injection (SSTI) in Strapi's email template functionality to achieve Remote Code Execution (RCE). The exploit automates the process of injecting a malicious payload into the email template and triggering its execution via user registration.

Description

Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. A remote attacker with access to the Strapi admin panel can inject a crafted payload that executes code on the server into an email template that bypasses the validation checks that should prevent code execution.

Exploits (1)

nomisec WORKING POC 24 stars

by sofianeelhor · remote-auth

https://github.com/sofianeelhor/CVE-2023-22621-POC

View Code ZIP pw:eip

This repository contains a functional Python-based exploit for CVE-2023-22621, which leverages Server-Side Template Injection (SSTI) in Strapi's email template functionality to achieve Remote Code Execution (RCE). The exploit automates the process of injecting a malicious payload into the email template and triggering its execution via user registration.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Strapi <=4.5.5

Auth required

Prerequisites: Admin credentials for the Strapi instance · Network access to the target Strapi server · Listener setup for reverse shell (if using default payload)

MITRE ATT&CK

T1221 - Template Injection T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

Strapi Versions <=4.5.5 - SSTI to Remote Code Execution

HIGHVERIFIEDby iamnoooob,rootxharsh,pdresearch

Shodan: html:"Welcome to your Strapi app"

References (3)

Core 3

Core References

Release Notes

https://github.com/strapi/strapi/releases

Vendor Advisory

https://strapi.io/blog/security-disclosure-of-vulnerabilities-cve

Exploit, Third Party Advisory

https://www.ghostccamm.com/blog/multi_strapi_vulns/

Scores

CVSS v3 7.2

EPSS 0.9102

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

VulnCheck KEV 2026-04-04

CWE

CWE-74

Status published

Products (3)

strapi/plugin-email 0 - 4.5.6npm

strapi/plugin-users-permissions 0 - 4.5.6npm

strapi/strapi 3.0.0 - 4.5.6

Published Apr 19, 2023

Tracked Since Feb 18, 2026