CVE-2021-44618: 
PHP vulnerability analysis and mitigation

A Server-side Template Injection (SSTI) vulnerability exists in Nystudio107 Seomatic version 3.4.12 in src/helpers/UrlHelper.php via the host header. The vulnerability was disclosed on March 11, 2022 and affects the Seomatic plugin for Craft CMS (NVD, AttackerKB).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This indicates the vulnerability is network exploitable, requires low attack complexity, needs no privileges or user interaction, and can result in high impact to confidentiality, integrity and availability. The vulnerability is classified as CWE-94 (Improper Control of Generation of Code ('Code Injection')) (NVD).

The vulnerability could allow an unauthenticated remote attacker to execute arbitrary code on the affected system through server-side template injection. This could lead to complete system compromise with high impacts on confidentiality, integrity, and availability of the affected system (NVD).

The vulnerability has been patched in subsequent versions after 3.4.12. The fix involves sanitizing all rendered URLs to mitigate the potential attack vector on improperly configured sites (Seomatic Release, Seomatic Patch).