What is CVE-2018-14716?

CVE-2018-14716 is a vulnerability in N/a. Published 2018-08-06.

Is CVE-2018-14716 known to be exploited?

6 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in N/a

CVE-2018-14716

A Server Side Template Injection (SSTI) was discovered in the SEOmatic plugin before 3.1.4 for Craft CMS, because requests that don't match any elements incorrectly generate the canonicalUrl, and can lead to execution of Twig code.

EPSS: 0.606 (98.3th percentile) — read the EPSS interpretation.

Affected products

N/a — versions n/a

Public proof-of-concept exploits

References

45108 (exploit, x_refsource_EXPLOIT-DB)
github.com/nystudio107/craft-seomatic/releases/tag/3.1.4 (x_refsource_CONFIRM)
twitter.com/nystudio107/status/1021855169515057152 (x_refsource_CONFIRM)
ha.cker.info/exploitation-of-server-side-template-injection-with-craft-cms-plgu… (x_refsource_MISC)
twitter.com/nystudio107/status/1021847835418009605 (x_refsource_CONFIRM)
github.com/nystudio107/craft-seomatic/commit/1e7d1d084ac3a89e7ec70620f274911050… (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2018-14716?: CVE-2018-14716 is a vulnerability in N/a. Published 2018-08-06.
Is CVE-2018-14716 known to be exploited?: 6 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.