Smarty Template Engine Vulnerability Affects Sites, Update ASAP
CVE-2024-35226

7.3HIGH

Key Information:

Vendor: Smarty-PHP
Status: Smarty
Vendor: CVE Published:; 28 May 2024

What is CVE-2024-35226?

A vulnerability has been identified in the Smarty template engine that allows malicious actors to inject PHP code through the manipulation of an extend tag with a specially crafted file name. This issue is particularly concerning for sites that cannot fully trust their template authors, highlighting the need for immediate updates to safeguard against potential security risks. Users operating on the v3 branch are notably at risk as no patch has been issued for this version, and there are no known workarounds available to mitigate this vulnerability. All users of affected Smarty versions are advised to upgrade to secure their applications.

Affected Version(s)

smarty >= 5.0.0, < 5.1.1 < 5.0.0, 5.1.1

smarty >= 3.0.0, < 4.5.3 < 3.0.0, 4.5.3

References

https://github.com/smarty-php/smarty/security/advisories/...

x_refsource_CONFIRM

https://github.com/smarty-php/smarty/commit/0be92bc8a6fb8...

x_refsource_MISC

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 28, 2024
Vulnerability Reserved
May 14, 2024

Smarty-PHP

What is CVE-2024-35226?

Affected Version(s)

References

CVSS V3.1

Timeline