CVE-2024-35226

HIGH

Smarty 3.0.0-4.5.2 and 5.0.0-5.1.0 - PHP Code Injection via Extends Tag Filename

Title source: llm

Description

Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. In affected versions template authors could inject php code by choosing a malicious file name for an extends-tag. Sites that cannot fully trust template authors should update asap. All users are advised to update. There is no patch for users on the v3 branch. There are no known workarounds for this vulnerability.

References (3)

Core 3

Core References

Mailing List

https://lists.debian.org/debian-lts-announce/2024/11/msg00013.html

Vendor Advisory x_refsource_confirm

https://github.com/smarty-php/smarty/security/advisories/GHSA-4rmg-292m-wg3w

Patch x_refsource_misc

https://github.com/smarty-php/smarty/commit/0be92bc8a6fb83e6e0d883946f7e7c09ba4e857a

View Patch ZIP pw:eip

Scores

CVSS v3 7.3

EPSS 0.0051

EPSS Percentile 39.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (3)

smarty/smarty 5.0.0 - 5.1.1Packagist

smarty-php/smarty >= 3.0.0, < 4.5.3

smarty-php/smarty >= 5.0.0, < 5.1.1

Published May 28, 2024

Tracked Since Feb 18, 2026