smarty

Top products

The 15 most recently published vulnerabilities affecting smarty.

• CVE-2023-41661WordPress Smarty for WordPress Plugin <= 3.1.35 is vulnerable to Cross Site Scripting (XSS)5.9Sep 29, 2023
• CVE-2023-28447Cross site scripting vulnerability in Javascript escaping in smarty/smarty7.1Mar 28, 2023
• CVE-2018-25047In Smarty before 3.1.47 and 4.x before 4.2.1, libs/plugins/function.mailto.php allows XSS. A web page that uses smarty_function_mailto, and that could be parameterized using GET or POST input param...5.4Sep 14, 2022
• CVE-2022-29221PHP Code Injection by malicious block or filename in Smarty8.8May 24, 2022
• CVE-2021-29454Sandbox Escape by math function in smarty8.1Jan 10, 2022
• CVE-2021-21408Access to restricted PHP code by dynamic static class access in smarty8.8Jan 10, 2022
• CVE-2021-26120Smarty before 3.1.39 allows code injection via an unexpected function name after a {function name= substring.9.8Feb 22, 2021
• CVE-2021-26119Smarty before 3.1.39 allows a Sandbox Escape because $smarty.template_object can be accessed in sandbox mode.7.5Feb 22, 2021
• CVE-2011-1028The $smarty.template variable in Smarty3 allows attackers to possibly execute arbitrary PHP code via the sysplugins/smarty_internal_compile_private_special_variable.php file.9.8Nov 20, 2019
• CVE-2018-13982Smarty_Security::isTrustedResourceDir() in Smarty before 3.1.33 is prone to a path traversal vulnerability due to insufficient template code sanitization. This allows attackers controlling the exec...7.5Sep 18, 2018
• CVE-2018-16831Smarty before 3.1.33-dev-4 allows attackers to bypass the trusted_dir protection mechanism via a file:./../ substring in an include statement.5.9Sep 11, 2018
• CVE-2017-1000480Smarty 3 before 3.1.32 is vulnerable to a PHP code injection when calling fetch() or display() functions on custom resources that does not sanitize template name.9.8Jan 3, 2018
• CVE-2014-8350Smarty before 3.1.21 allows remote attackers to bypass the secure mode restrictions and execute arbitrary PHP code as demonstrated by "{literal}<{/literal}script language=php>" in a template.7.5Nov 3, 2014
• CVE-2012-4437Cross-site scripting (XSS) vulnerability in the SmartyException class in Smarty (aka smarty-php) before 3.1.12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors...4.3Oct 1, 2012
• CVE-2012-4277Cross-site scripting (XSS) vulnerability in the smarty_function_html_options_optoutput function in distribution/libs/plugins/function.html_options.php in Smarty before 3.1.8 allows remote attackers...4.3Aug 13, 2012