CVE-2021-26119

HIGH

Smarty <3.1.39 - Code Injection

Title source: llm

Smarty before 3.1.39 allows a Sandbox Escape because $smarty.template_object can be accessed in sandbox mode.

inthewild

poc

CVSS v3 7.5

EPSS 0.6261

EPSS Percentile 98.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Status published

Products (5)

debian/debian_linux 9.0

debian/debian_linux 10.0

debian/debian_linux 11.0

smarty/smarty < 3.1.39

smarty/smarty 0 - 3.1.39Packagist

Published Feb 22, 2021

Tracked Since Feb 18, 2026