Headline
GHSA-4rmg-292m-wg3w: Smarty vulnerable to PHP Code Injection by malicious attribute in extends-tag
Impact
Template authors could inject php code by choosing a malicous file name for an extends-tag. Users that cannot fully trust template authors should update asap.
Patches
Please upgrade to the most recent version of Smarty v4 or v5. There is no patch for v3.
Skip to content
Navigation Menu
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-35226
Smarty vulnerable to PHP Code Injection by malicious attribute in extends-tag
High severity GitHub Reviewed Published May 28, 2024 in smarty-php/smarty • Updated May 29, 2024
Package
composer smarty/smarty (Composer)
Affected versions
>= 5.0.0, < 5.1.1
>= 3.0.0, < 4.5.3
Patched versions
5.1.1
4.5.3
Description
Published to the GitHub Advisory Database
May 29, 2024
Last updated
May 29, 2024