cbcvebase.
CVE-2021-21408
published 2022-01-10

CVE-2021-21408: Access to restricted PHP code by dynamic static class access in smarty Smarty is a template engine for PHP, facilitating the separation of presentation…

high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
2.22%
80.5th percentile
Access to restricted PHP code by dynamic static class access in smarty Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.43 and 4.0.3, template authors could run restricted static php methods. Users should upgrade to version 3.1.43 or 4.0.3 to receive a patch.

Affected

4 ranges
VendorProductVersion rangeFixed in
smarty-phpsmarty< 3.1.433.1.43
smarty-phpsmarty
smartysmarty>= 0 < 3.1.433.1.43
smartysmarty>= 4.0.0 < 4.0.34.0.3

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
cvelistv58.8HIGH
osv7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.