cbcvebase.
CVE-2024-35226
published 2024-05-28

CVE-2024-35226: PHP Code Injection by malicious attribute in extends-tag in Smarty Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS)…

high7.3CVSS 3.1
AVNACLPRLUIRSUCHIHAN
EPSS
0.51%
39.4th percentile
PHP Code Injection by malicious attribute in extends-tag in Smarty Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. In affected versions template authors could inject php code by choosing a malicious file name for an extends-tag. Sites that cannot fully trust template authors should update asap. All users are advised to update. There is no patch for users on the v3 branch. There are no known workarounds for this vulnerability.

Affected

4 ranges
VendorProductVersion rangeFixed in
smarty-phpsmarty
smarty-phpsmarty
smartysmarty>= 3.0.0 < 4.5.34.5.3
smartysmarty>= 5.0.0 < 5.1.15.1.1

CVSS provenance

nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
cvelistv57.3HIGH
osv5.4MEDIUM
vendor_ubuntu5.4MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.