CVE-2021-26120
published 2021-02-22CVE-2021-26120: Smarty before 3.1.39 allows code injection via an unexpected function name after a {function name= substring.
PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
82.32%
99.6th percentile
Smarty before 3.1.39 allows code injection via an unexpected function name after a {function name= substring.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | smarty3 | < smarty3 3.1.39-1 (bookworm) | smarty3 3.1.39-1 (bookworm) |
| smarty | smarty | < 3.1.39 | 3.1.39 |
| smarty | smarty | >= 0 < 3.1.39 | 3.1.39 |
Detection & IOCsextracted from sources · hover to see the quote
- →Code injection in Smarty template engine triggered via a crafted function name after the '{function name=' substring in a template ↗
- ·Vulnerability is fixed in Smarty 3.1.39; versions prior to 3.1.39 are affected. Debian packages resolved at version 3.1.39-1 across all tracked suites (bookworm, bullseye, forky, sid, trixie). ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Smarty vulnerabilities
vendor_ubuntu·2022-06-21·CVSS 7.5
CVE-2021-26120 [HIGH] Smarty vulnerabilities
Title: Smarty vulnerabilities
Summary: Several security issues were fixed in Smarty.
USN-5348-1 fixed several vulnerabilities in Smarty. This update provides
the fixes for CVE-2021-21408, CVE-2021-26119, CVE-2021-26120 and
CVE-2021-29454 for Ubuntu 20.04 ESM.
Original advisory details:
David Gnedt and Thomas Konrad discovered that Smarty was incorrectly
sanitizing the paths present in the templates. An attacker could possibly
use this use to read arbitrary files when controlling the executed
template. (CVE-2018-13982)
It was discovered that Smarty was incorrectly sanitizing the paths
present in the templates. An attacker could possibly use this use to read
arbitrary files when controlling the executed template. (CVE-2018-16831)
It was discovered that Smarty was incorrectly validating
Ubuntu
Smarty vulnerabilities
vendor_ubuntu·2022-03-28·CVSS 7.5
CVE-2021-21408 [HIGH] Smarty vulnerabilities
Title: Smarty vulnerabilities
Summary: Several security issues were fixed in Smarty.
David Gnedt and Thomas Konrad discovered that Smarty was incorrectly
sanitizing the paths present in the templates. An attacker could possibly
use this use to read arbitrary files when controlling the executed
template. (CVE-2018-13982)
It was discovered that Smarty was incorrectly sanitizing the paths
present in the templates. An attacker could possibly use this use to read
arbitrary files when controlling the executed template. (CVE-2018-16831)
It was discovered that Smarty was incorrectly validating security policy
data, allowing the execution of static classes even when not permitted by
the security settings. An attacker could possibly use this issue to
execute arbitrary code. (CVE-2021-21408)
It
Ubuntu
Smarty vulnerabilities
vendor_ubuntu·2022-03-28·CVSS 7.5
CVE-2021-26120 [HIGH] Smarty vulnerabilities
Title: Smarty vulnerabilities
Summary: Several security issues were fixed in Smarty.
USN-5348-1 fixed several vulnerabilities in Smarty. This update provides
the fixes for CVE-2021-21408, CVE-2021-26119, CVE-2021-26120 and
CVE-2021-29454 for Ubuntu 16.04 ESM.
Original advisory details:
David Gnedt and Thomas Konrad discovered that Smarty was incorrectly
sanitizing the paths present in the templates. An attacker could possibly
use this use to read arbitrary files when controlling the executed
template. (CVE-2018-13982)
It was discovered that Smarty was incorrectly sanitizing the paths
present in the templates. An attacker could possibly use this use to read
arbitrary files when controlling the executed template. (CVE-2018-16831)
It was discovered that Smarty was incorrectly validating
Debian
CVE-2021-26120: smarty3 - Smarty before 3.1.39 allows code injection via an unexpected function name after...
vendor_debian·2021·CVSS 9.8
CVE-2021-26120 [CRITICAL] CVE-2021-26120: smarty3 - Smarty before 3.1.39 allows code injection via an unexpected function name after...
Smarty before 3.1.39 allows code injection via an unexpected function name after a {function name= substring.
Scope: local
bookworm: resolved (fixed in 3.1.39-1)
bullseye: resolved (fixed in 3.1.39-1)
forky: resolved (fixed in 3.1.39-1)
sid: resolved (fixed in 3.1.39-1)
trixie: resolved (fixed in 3.1.39-1)
OSV
smarty3 vulnerabilities
osv·2022-06-21·CVSS 7.5
CVE-2021-21408 [HIGH] smarty3 vulnerabilities
smarty3 vulnerabilities
USN-5348-1 fixed several vulnerabilities in Smarty. This update provides
the fixes for CVE-2021-21408, CVE-2021-26119, CVE-2021-26120 and
CVE-2021-29454 for Ubuntu 20.04 ESM.
Original advisory details:
David Gnedt and Thomas Konrad discovered that Smarty was incorrectly
sanitizing the paths present in the templates. An attacker could possibly
use this use to read arbitrary files when controlling the executed
template. (CVE-2018-13982)
It was discovered that Smarty was incorrectly sanitizing the paths
present in the templates. An attacker could possibly use this use to read
arbitrary files when controlling the executed template. (CVE-2018-16831)
It was discovered that Smarty was incorrectly validating security policy
data, allowing the execution of static classe
OSV
smarty3 vulnerabilities
osv·2022-03-28·CVSS 7.5
CVE-2018-13982 [HIGH] smarty3 vulnerabilities
smarty3 vulnerabilities
David Gnedt and Thomas Konrad discovered that Smarty was incorrectly
sanitizing the paths present in the templates. An attacker could possibly
use this use to read arbitrary files when controlling the executed
template. (CVE-2018-13982)
It was discovered that Smarty was incorrectly sanitizing the paths
present in the templates. An attacker could possibly use this use to read
arbitrary files when controlling the executed template. (CVE-2018-16831)
It was discovered that Smarty was incorrectly validating security policy
data, allowing the execution of static classes even when not permitted by
the security settings. An attacker could possibly use this issue to
execute arbitrary code. (CVE-2021-21408)
It was discovered that Smarty was incorrectly managing access con
OSV
smarty3 vulnerabilities
osv·2022-03-28·CVSS 7.5
CVE-2021-21408 [HIGH] smarty3 vulnerabilities
smarty3 vulnerabilities
USN-5348-1 fixed several vulnerabilities in Smarty. This update provides
the fixes for CVE-2021-21408, CVE-2021-26119, CVE-2021-26120 and
CVE-2021-29454 for Ubuntu 16.04 ESM.
Original advisory details:
David Gnedt and Thomas Konrad discovered that Smarty was incorrectly
sanitizing the paths present in the templates. An attacker could possibly
use this use to read arbitrary files when controlling the executed
template. (CVE-2018-13982)
It was discovered that Smarty was incorrectly sanitizing the paths
present in the templates. An attacker could possibly use this use to read
arbitrary files when controlling the executed template. (CVE-2018-16831)
It was discovered that Smarty was incorrectly validating security policy
data, allowing the execution of static classe
OSV
PHP Code Injection by malicious function name in smarty
osv·2021-02-26
CVE-2021-26120 [CRITICAL] PHP Code Injection by malicious function name in smarty
PHP Code Injection by malicious function name in smarty
Template authors could inject php code by choosing a malicous {function} name. Sites that cannot fully trust template authors should update as soon as possible. Please upgrade to 3.1.39 or higher.
GHSA
PHP Code Injection by malicious function name in smarty
ghsa·2021-02-26
CVE-2021-26120 [CRITICAL] CWE-94 PHP Code Injection by malicious function name in smarty
PHP Code Injection by malicious function name in smarty
Template authors could inject php code by choosing a malicous {function} name. Sites that cannot fully trust template authors should update as soon as possible. Please upgrade to 3.1.39 or higher.
OSV
CVE-2021-26120: Smarty before 3
osv·2021-02-22·CVSS 9.8
CVE-2021-26120 [CRITICAL] CVE-2021-26120: Smarty before 3
Smarty before 3.1.39 allows code injection via an unexpected function name after a {function name= substring.
No detection rules found.
No public exploits indexed.
arXiv
An Assessment of the Overlooked Dangers of Template Engines
arxiv_fulltext·2026-03-02
An Assessment of the Overlooked Dangers of Template Engines
[An Assessment of the Overlooked Dangers of Template Engines]An Assessment of the Overlooked Dangers of Template Engines
Lorenzo Pisu
[email protected]
0009-0001-0129-1976
University Of Cagliari
Piazza D'Armi
Cagliari
Italy
09123
Davide Maiorca
University Of Cagliari
Piazza D'Armi
Cagliari
Italy
09123
[email protected]
0000-0003-2640-4663
Giorgio Giacinto
University Of Cagliari
Piazza D'Armi
Cagliari
Italy
09123
National Interuniversity Consortium for Informatics
Piazza D'Armi
Cagliari
Italy
09123
[email protected]
0000-0002-5759-3017
Pisu L., Maiorca D., Giacinto G.
## Abstract
Template engines play a pivotal role in modern web application development by enabling the dynamic rendering of content, products, and user interfaces. Today, they are essential for any websit
arXiv
Ancora: Accurate Intrusion Recovery for Web Applications
arxiv_fulltext·2026-01-02
Ancora: Accurate Intrusion Recovery for Web Applications
: Accurate Intrusion Recovery for Web Applications
Yihao Peng^0000-0002-9190-531Xequal , Graduate Student Member, IEEE, Biao Ma^0009-0001-9372-1020equal ,
Hai Wan^0000-0002-9608-5808, Xibin Zhao^0000-0002-6168-7016, Senior Member, IEEE
Yihao Peng, Biao Ma, Hai Wan, and Xibin Zhao are with the Beijing National Research Center for Information Science and Technology (BNRist), Key Laboratory for Information System Security, Ministry of Education (KLISS), School of Software, Tsinghua University, Beijing 100084, China (e-mail: [email protected]; [email protected]; [email protected]; [email protected]).
authors contributed equally to this work.
IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, Vol. , 2025Peng and Ma et al.: : Accurate Intrusion Recovery for Web Applications
## Abs
https://github.com/smarty-php/smarty/blob/master/CHANGELOG.mdhttps://lists.debian.org/debian-lts-announce/2021/04/msg00004.htmlhttps://lists.debian.org/debian-lts-announce/2021/04/msg00014.htmlhttps://security.gentoo.org/glsa/202105-06https://www.debian.org/security/2022/dsa-5151https://github.com/smarty-php/smarty/blob/master/CHANGELOG.mdhttps://lists.debian.org/debian-lts-announce/2021/04/msg00004.htmlhttps://lists.debian.org/debian-lts-announce/2021/04/msg00014.htmlhttps://security.gentoo.org/glsa/202105-06https://www.debian.org/security/2022/dsa-5151
2021-02-22
Published