High severity7.3OSV Advisory· Published May 28, 2024· Updated Jun 17, 2026
CVE-2024-35226
CVE-2024-35226
Description
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. In affected versions template authors could inject php code by choosing a malicious file name for an extends-tag. Sites that cannot fully trust template authors should update asap. All users are advised to update. There is no patch for users on the v3 branch. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
smarty/smartyPackagist | >= 5.0.0, < 5.1.1 | 5.1.1 |
smarty/smartyPackagist | >= 3.0.0, < 4.5.3 | 4.5.3 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-4rmg-292m-wg3wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-35226ghsaADVISORY
- github.com/smarty-php/smarty/commit/0be92bc8a6fb83e6e0d883946f7e7c09ba4e857anvdWEB
- github.com/smarty-php/smarty/security/advisories/GHSA-4rmg-292m-wg3wnvdWEB
- lists.debian.org/debian-lts-announce/2024/11/msg00013.htmlnvdWEB
News mentions
0No linked articles in our index yet.