CVE-2024-35226

Description

Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. In affected versions template authors could inject php code by choosing a malicious file name for an extends-tag. Sites that cannot fully trust template authors should update asap. All users are advised to update. There is no patch for users on the v3 branch. There are no known workarounds for this vulnerability.

How to fix CVE-2024-35226

To remediate CVE-2024-35226, upgrade the affected package to a fixed version below.

• —upgrade to 3.1.39-2+deb11u2 or later
• —upgrade to 4.3.0-1+deb12u2 or later
• —upgrade to 4.3.0-1+deb12u2 or later
• —upgrade to 5.1.1 or later

Is CVE-2024-35226 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• from 0, < 3.1.39-2+deb11u2
• from 0, < 4.3.0-1+deb12u2
• from 0, < 4.3.0-1+deb12u2
• >= 5.0.0, < 5.1.1

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-35226
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-35226
• PATCHgithub.com/smarty-php/smarty
• WEBgithub.com/smarty-php/smarty/commit/0be92bc8a6fb83e6e0d883946f7e7c09ba4e857a