CVE-2023-22621

HIGH EXPLOITED NUCLEI

Strapi < 4.5.6 - Injection

Title source: rule

Description

Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. A remote attacker with access to the Strapi admin panel can inject a crafted payload that executes code on the server into an email template that bypasses the validation checks that should prevent code execution.

Exploits (1)

nomisec WORKING POC 24 stars

by sofianeelhor · remote-auth

https://github.com/sofianeelhor/CVE-2023-22621-POC

View Code ZIP pw:eip

Nuclei Templates (1)

Strapi Versions <=4.5.5 - SSTI to Remote Code Execution

HIGHVERIFIEDby iamnoooob,rootxharsh,pdresearch

Shodan: html:"Welcome to your Strapi app"

References (3)

[Release Notes] https://github.com/strapi/strapi/releases

[Vendor Advisory] https://strapi.io/blog/security-disclosure-of-vulnerabilities-cve

[Exploit, Third Party Advisory] https://www.ghostccamm.com/blog/multi_strapi_vulns/

Scores

CVSS v3 7.2

EPSS 0.9098

EPSS Percentile 99.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2026-04-04

CWE

CWE-74

Status published

Products (3)

strapi/plugin-email 0 - 4.5.6npm

strapi/plugin-users-permissions 0 - 4.5.6npm

strapi/strapi 3.0.0 - 4.5.6

Published Apr 19, 2023

Tracked Since Feb 18, 2026