DescriptionSmarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. In affected versions template authors could inject php code by choosing a malicious file name for an extends-tag. Sites that cannot fully trust template authors should update asap. All users are advised to update. There is no patch for users on the v3 branch. There are no known workarounds for this vulnerability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1072529, 1072530

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
smarty3 (PTS)buster3.1.33+20180830.1.3a78a21f+selfpack1-1+deb10u1vulnerable
buster (security)3.1.33+20180830.1.3a78a21f+selfpack1-1+deb10u2vulnerable
bullseye (security), bullseye3.1.39-2+deb11u1vulnerable
sid, trixie3.1.48-1vulnerable
smarty4 (PTS)bookworm4.3.0-1+deb12u1vulnerable
sid, trixie4.3.1-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs

Notes (v4.5.3) (v5.2.0)

Search for package or bug name: Reporting problems