CVE-2024-35226
published 2024-05-28CVE-2024-35226: PHP Code Injection by malicious attribute in extends-tag in Smarty Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS)…
high7.3CVSS 3.1
AVNACLPRLUIRSUCHIHAN
EPSS
0.51%
39.4th percentile
PHP Code Injection by malicious attribute in extends-tag in Smarty
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. In affected versions template authors could inject php code by choosing a malicious file name for an extends-tag. Sites that cannot fully trust template authors should update asap. All users are advised to update. There is no patch for users on the v3 branch. There are no known workarounds for this vulnerability.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| smarty-php | smarty | — | — |
| smarty-php | smarty | — | — |
| smarty | smarty | >= 3.0.0 < 4.5.3 | 4.5.3 |
| smarty | smarty | >= 5.0.0 < 5.1.1 | 5.1.1 |
CVSS provenance
nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
cvelistv57.3HIGH
osv5.4MEDIUM
vendor_ubuntu5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
smarty3 vulnerabilities
osv·2024-12-12·CVSS 5.4
CVE-2018-25047 [MEDIUM] smarty3 vulnerabilities
smarty3 vulnerabilities
It was discovered that Smarty incorrectly handled query parameters in
requests. An attacker could possibly use this issue to inject arbitrary
Javascript code, resulting in denial of service or potential execution of
arbitrary code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04
LTS, Ubuntu 22.04 LTS and Ubuntu 24.04 LTS.
(CVE-2018-25047, CVE-2023-28447)
It was discovered that Smarty did not properly sanitize user input when
generating templates. An attacker could, through PHP injection, possibly
use this issue to execute arbitrary code. (CVE-2024-35226)
GHSA
Smarty vulnerable to PHP Code Injection by malicious attribute in extends-tag
ghsa·2024-05-29
CVE-2024-35226 [HIGH] CWE-94 Smarty vulnerable to PHP Code Injection by malicious attribute in extends-tag
Smarty vulnerable to PHP Code Injection by malicious attribute in extends-tag
### Impact
Template authors could inject php code by choosing a malicous file name for an extends-tag. Users that cannot fully trust template authors should update asap.
### Patches
Please upgrade to the most recent version of Smarty v4 or v5. There is no patch for v3.
OSV
Smarty vulnerable to PHP Code Injection by malicious attribute in extends-tag
osv·2024-05-29
CVE-2024-35226 [HIGH] Smarty vulnerable to PHP Code Injection by malicious attribute in extends-tag
Smarty vulnerable to PHP Code Injection by malicious attribute in extends-tag
### Impact
Template authors could inject php code by choosing a malicous file name for an extends-tag. Users that cannot fully trust template authors should update asap.
### Patches
Please upgrade to the most recent version of Smarty v4 or v5. There is no patch for v3.
CVEList
PHP Code Injection by malicious attribute in extends-tag in Smarty
cvelistv5·2024-05-28·CVSS 7.3
CVE-2024-35226 [HIGH] CWE-94 PHP Code Injection by malicious attribute in extends-tag in Smarty
PHP Code Injection by malicious attribute in extends-tag in Smarty
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. In affected versions template authors could inject php code by choosing a malicious file name for an extends-tag. Sites that cannot fully trust template authors should update asap. All users are advised to update. There is no patch for users on the v3 branch. There are no known workarounds for this vulnerability.
Ubuntu
Smarty vulnerability
vendor_ubuntu·2025-03-27
CVE-2024-35226 Smarty vulnerability
Title: Smarty vulnerability
Summary: Smarty could be made to crash or run programs if it opened a specially
crafted file.
It was discovered that Smarty did not properly sanitize template file
names. An attacker could possibly use this issue to cause Smarty to
crash, resulting in a denial of service, or possibly execute arbitrary
code.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Smarty vulnerabilities
vendor_ubuntu·2024-12-12·CVSS 5.4
CVE-2023-28447 [MEDIUM] Smarty vulnerabilities
Title: Smarty vulnerabilities
Summary: Several security issues were fixed in Smarty.
It was discovered that Smarty incorrectly handled query parameters in
requests. An attacker could possibly use this issue to inject arbitrary
Javascript code, resulting in denial of service or potential execution of
arbitrary code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04
LTS, Ubuntu 22.04 LTS and Ubuntu 24.04 LTS.
(CVE-2018-25047, CVE-2023-28447)
It was discovered that Smarty did not properly sanitize user input when
generating templates. An attacker could, through PHP injection, possibly
use this issue to execute arbitrary code. (CVE-2024-35226)
Instructions: In general, a standard system update will make all the necessary changes.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-05-28
Published