1 results (0.004 seconds)
CVSS: 7.3EPSS: 0%CPEs: 2EXPL: 0
CVE-2024-35226 – PHP Code Injection by malicious attribute in extends-tag in Smarty
https://notcve.org/view.php?id=CVE-2024-35226
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. In affected versions template authors could inject php code by choosing a malicious file name for an extends-tag. Sites that cannot fully trust template authors should update asap. All users are advised to update. There is no patch for users on the v3 branch. • https://github.com/smarty-php/smarty/commit/0be92bc8a6fb83e6e0d883946f7e7c09ba4e857a https://github.com/smarty-php/smarty/security/advisories/GHSA-4rmg-292m-wg3w • CWE-94: Improper Control of Generation of Code ('Code Injection') •