PT-2024-26390 · Smarty+3 · Smarty+3

Trixterthetux

Published

2024-05-28

Updated

2025-03-27

CVE-2024-35226

CVSS v2.0

8.5

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:N

Name of the Vulnerable Software and Affected Versions Smarty versions prior to the latest version of v4 or v5 Smarty version 3.x

Description The issue allows template authors to inject PHP code by choosing a malicious file name for an extends-tag. This poses a risk to sites that cannot fully trust template authors. All users are advised to update.

Recommendations For Smarty version 3.x: At the moment, there is no information about a newer version that contains a fix for this vulnerability. For Smarty versions prior to the latest version of v4 or v5: Upgrade to the most recent version of Smarty v4 or v5 as soon as possible.

Exploit

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

BDU:2025-03330

CVE-2024-35226

DLA-3956-1

DSA-5826-1

DSA-5830-1

GHSA-4RMG-292M-WG3W

USN-7158-1

USN-7377-1

Affected Products

Linuxmint

Red Os

Smarty

Ubuntu

PT-2024-26390 · Smarty+3 · Smarty+3

CVE-2024-35226

Weakness Enumeration

Related Identifiers

Affected Products

References · 26