CVE-2021-26120Code Injection in Smarty

CWE-94Code Injection13 documents6 sources
Severity
9.8CRITICALNVD
OSV7.5
EPSS
75.6%
top 1.10%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
SmartyDebian Smarty3Debian Linux
Timeline
PublishedFeb 22
Latest updateMar 2

Description

Smarty before 3.1.39 allows code injection via an unexpected function name after a {function name= substring.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

NVDsmarty/smarty< 3.1.39
Packagistsmarty/smarty< 3.1.39
debiandebian/smarty3< smarty3 3.1.39-1 (bookworm)

Also affects: Debian Linux 10.0, 11.0, 9.0

Patches

Patch: security.gentoo.orgPatch: security.gentoo.org

🔴Vulnerability Details

6
OSV
smarty3 vulnerabilities2022-06-21
OSV
smarty3 vulnerabilities2022-03-28
OSV
smarty3 vulnerabilities2022-03-28
OSV
PHP Code Injection by malicious function name in smarty2021-02-26
GHSA
PHP Code Injection by malicious function name in smarty2021-02-26

📋Vendor Advisories

4
Ubuntu
Smarty vulnerabilities2022-06-21
Ubuntu
Smarty vulnerabilities2022-03-28
Ubuntu
Smarty vulnerabilities2022-03-28
Debian
CVE-2021-26120: smarty3 - Smarty before 3.1.39 allows code injection via an unexpected function name after...2021

📄Research Papers

2
arXiv
An Assessment of the Overlooked Dangers of Template Engines2026-03-02
arXiv
Ancora: Accurate Intrusion Recovery for Web Applications2026-01-02