CVE-2021-41749: 
PHP vulnerability analysis and mitigation

In the SEOmatic plugin up to version 3.4.11 for Craft CMS 3, a critical security vulnerability was identified that allows unauthenticated attackers to perform Server-Side Template Injection (SSTI), which can lead to remote code execution. The vulnerability was disclosed on June 12, 2022, and received a CVSS v3.1 base score of 9.8 (Critical) (NVD).

The vulnerability is classified as CWE-94 (Improper Control of Generation of Code). It has a CVSS v3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, no privileges required, no user interaction needed, and high impact on confidentiality, integrity, and availability (NVD).

The vulnerability allows attackers to execute arbitrary code on the target system remotely without authentication. This could potentially lead to complete system compromise, data breaches, and unauthorized access to sensitive information (NVD).

The vulnerability has been patched in SEOmatic plugin version 3.4.12 and later. Users are strongly advised to upgrade to the latest version to protect against this vulnerability. The fix involves sanitizing the canonical URL after the absolute URL has been returned, to mitigate poisoned X-Forwarded-Host headers (Seomatic Patch).