Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/18656?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/18656?format=api", "purl": "pkg:composer/smarty/smarty@4.0.0", "type": "composer", "namespace": "smarty", "name": "smarty", "version": "4.0.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "4.5.3", "latest_non_vulnerable_version": "5.2.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/181880?format=api", "vulnerability_id": "VCID-1vrk-mr94-huar", "summary": "Multiple vulnerabilities have been found in Smarty, the worst of which could result in remote code execution", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-25047", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00629", "scoring_system": "epss", "scoring_elements": "0.70753", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00629", "scoring_system": "epss", "scoring_elements": "0.70854", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00629", "scoring_system": "epss", "scoring_elements": "0.70857", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00629", "scoring_system": "epss", "scoring_elements": "0.70844", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-25047" }, { "reference_url": "https://bugs.gentoo.org/870100", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://bugs.gentoo.org/870100" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25047", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25047" }, { "reference_url": "https://github.com/smarty-php/smarty", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty" }, { "reference_url": "https://github.com/smarty-php/smarty/commit/55ea25d1f50f0406fb1ccedd212c527977793fc9", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty/commit/55ea25d1f50f0406fb1ccedd212c527977793fc9" }, { "reference_url": "https://github.com/smarty-php/smarty/issues/454", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty/issues/454" }, { "reference_url": "https://github.com/smarty-php/smarty/releases/tag/v3.1.47", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty/releases/tag/v3.1.47" }, { "reference_url": "https://github.com/smarty-php/smarty/releases/tag/v4.2.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty/releases/tag/v4.2.1" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00002.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00002.html" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00013.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00013.html" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019896", "reference_id": "1019896", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019896" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019897", "reference_id": "1019897", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019897" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25047", "reference_id": "CVE-2018-25047", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25047" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2018-25047.yaml", "reference_id": "CVE-2018-25047.YAML", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2018-25047.yaml" }, { "reference_url": "https://github.com/advisories/GHSA-hwq7-5vv9-c6cf", "reference_id": "GHSA-hwq7-5vv9-c6cf", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hwq7-5vv9-c6cf" }, { "reference_url": "https://usn.ubuntu.com/7158-1/", "reference_id": "USN-7158-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7158-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/26295?format=api", "purl": "pkg:composer/smarty/smarty@4.2.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ukne-sz3k-xkhf" }, { "vulnerability": "VCID-yvk2-k49u-1bat" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@4.2.1" } ], "aliases": [ "CVE-2018-25047", "GHSA-hwq7-5vv9-c6cf" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1vrk-mr94-huar" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/156419?format=api", "vulnerability_id": "VCID-3mxe-phrs-j7d1", "summary": "Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.43 and 4.0.3, template authors could run restricted static php methods. Users should upgrade to version 3.1.43 or 4.0.3 to receive a patch.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21408", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0047", "scoring_system": "epss", "scoring_elements": "0.65028", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0047", "scoring_system": "epss", "scoring_elements": "0.65136", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0047", "scoring_system": "epss", "scoring_elements": "0.65139", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0047", "scoring_system": "epss", "scoring_elements": "0.65128", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21408" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21408", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21408" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29454", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29454" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29221", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29221" }, { "reference_url": "https://github.com/smarty-php/smarty", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI/" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010375", "reference_id": "1010375", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010375" }, { "reference_url": "https://github.com/smarty-php/smarty/commit/19ae410bf56007a5ef24441cdc6414619cfaf664", "reference_id": "19ae410bf56007a5ef24441cdc6414619cfaf664", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:17Z/" } ], "url": "https://github.com/smarty-php/smarty/commit/19ae410bf56007a5ef24441cdc6414619cfaf664" }, { "reference_url": "https://security.gentoo.org/glsa/202209-09", "reference_id": "202209-09", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:17Z/" } ], "url": "https://security.gentoo.org/glsa/202209-09" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ/", "reference_id": "BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:17Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ/" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21408", "reference_id": "CVE-2021-21408", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21408" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2021-21408.yaml", "reference_id": "CVE-2021-21408.YAML", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2021-21408.yaml" }, { "reference_url": "https://www.debian.org/security/2022/dsa-5151", "reference_id": "dsa-5151", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:17Z/" } ], "url": "https://www.debian.org/security/2022/dsa-5151" }, { "reference_url": "https://github.com/advisories/GHSA-4h9c-v5vg-5m6m", "reference_id": "GHSA-4h9c-v5vg-5m6m", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4h9c-v5vg-5m6m" }, { "reference_url": "https://github.com/smarty-php/smarty/security/advisories/GHSA-4h9c-v5vg-5m6m", "reference_id": "GHSA-4h9c-v5vg-5m6m", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:17Z/" } ], "url": "https://github.com/smarty-php/smarty/security/advisories/GHSA-4h9c-v5vg-5m6m" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI/", "reference_id": "L777JIBIWJV34HS7LXPIDWASG7TT4LNI", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:17Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI/" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00005.html", "reference_id": "msg00005.html", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:17Z/" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00005.html" }, { "reference_url": "https://usn.ubuntu.com/5348-1/", "reference_id": "USN-5348-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/5348-1/" }, { "reference_url": "https://usn.ubuntu.com/USN-5348-2/", "reference_id": "USN-USN-5348-2", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/USN-5348-2/" }, { "reference_url": "https://usn.ubuntu.com/USN-5348-3/", "reference_id": "USN-USN-5348-3", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/USN-5348-3/" }, { "reference_url": "https://github.com/smarty-php/smarty/releases/tag/v3.1.43", "reference_id": "v3.1.43", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:17Z/" } ], "url": "https://github.com/smarty-php/smarty/releases/tag/v3.1.43" }, { "reference_url": "https://github.com/smarty-php/smarty/releases/tag/v4.0.3", "reference_id": "v4.0.3", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:17Z/" } ], "url": "https://github.com/smarty-php/smarty/releases/tag/v4.0.3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/18660?format=api", "purl": "pkg:composer/smarty/smarty@4.0.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1vrk-mr94-huar" }, { "vulnerability": "VCID-ke5v-yxmm-fydq" }, { "vulnerability": "VCID-ukne-sz3k-xkhf" }, { "vulnerability": "VCID-yvk2-k49u-1bat" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@4.0.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/419949?format=api", "purl": "pkg:composer/smarty/smarty@4.3.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-yvk2-k49u-1bat" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@4.3.3" } ], "aliases": [ "CVE-2021-21408", "GHSA-4h9c-v5vg-5m6m" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3mxe-phrs-j7d1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/156393?format=api", "vulnerability_id": "VCID-g4mk-4raf-a3bj", "summary": "Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.42 and 4.0.2, template authors could run arbitrary PHP code by crafting a malicious math string. If a math string was passed through as user provided data to the math function, external users could run arbitrary PHP code by crafting a malicious math string. Users should upgrade to version 3.1.42 or 4.0.2 to receive a patch.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-29454", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00643", "scoring_system": "epss", "scoring_elements": "0.71134", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00643", "scoring_system": "epss", "scoring_elements": "0.71235", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00643", "scoring_system": "epss", "scoring_elements": "0.71237", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00643", "scoring_system": "epss", "scoring_elements": "0.71224", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-29454" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21408", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21408" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29454", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29454" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29221", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29221" }, { "reference_url": "https://github.com/smarty-php/smarty", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI/" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010375", "reference_id": "1010375", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010375" }, { "reference_url": "https://security.gentoo.org/glsa/202209-09", "reference_id": "202209-09", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:13Z/" } ], "url": "https://security.gentoo.org/glsa/202209-09" }, { "reference_url": "https://github.com/smarty-php/smarty/commit/215d81a9fa3cd63d82fb3ab56ecaf97cf1e7db71", "reference_id": "215d81a9fa3cd63d82fb3ab56ecaf97cf1e7db71", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:13Z/" } ], "url": "https://github.com/smarty-php/smarty/commit/215d81a9fa3cd63d82fb3ab56ecaf97cf1e7db71" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ/", "reference_id": "BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:13Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ/" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29454", "reference_id": "CVE-2021-29454", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29454" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2021-29454.yaml", "reference_id": "CVE-2021-29454.YAML", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2021-29454.yaml" }, { "reference_url": "https://www.debian.org/security/2022/dsa-5151", "reference_id": "dsa-5151", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:13Z/" } ], "url": "https://www.debian.org/security/2022/dsa-5151" }, { "reference_url": "https://github.com/advisories/GHSA-29gp-2c3m-3j6m", "reference_id": "GHSA-29gp-2c3m-3j6m", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-29gp-2c3m-3j6m" }, { "reference_url": "https://github.com/smarty-php/smarty/security/advisories/GHSA-29gp-2c3m-3j6m", "reference_id": "GHSA-29gp-2c3m-3j6m", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:13Z/" } ], "url": "https://github.com/smarty-php/smarty/security/advisories/GHSA-29gp-2c3m-3j6m" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI/", "reference_id": "L777JIBIWJV34HS7LXPIDWASG7TT4LNI", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:13Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI/" }, { "reference_url": "https://www.smarty.net/docs/en/language.function.math.tpl", "reference_id": "language.function.math.tpl", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:13Z/" } ], "url": "https://www.smarty.net/docs/en/language.function.math.tpl" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00005.html", "reference_id": "msg00005.html", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:13Z/" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00005.html" }, { "reference_url": "https://packagist.org/packages/smarty/smarty", "reference_id": "smarty", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:13Z/" } ], "url": "https://packagist.org/packages/smarty/smarty" }, { "reference_url": "https://usn.ubuntu.com/5348-1/", "reference_id": "USN-5348-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/5348-1/" }, { "reference_url": "https://usn.ubuntu.com/USN-5348-2/", "reference_id": "USN-USN-5348-2", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/USN-5348-2/" }, { "reference_url": "https://usn.ubuntu.com/USN-5348-3/", "reference_id": "USN-USN-5348-3", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/USN-5348-3/" }, { "reference_url": "https://github.com/smarty-php/smarty/releases/tag/v3.1.42", "reference_id": "v3.1.42", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:13Z/" } ], "url": "https://github.com/smarty-php/smarty/releases/tag/v3.1.42" }, { "reference_url": "https://github.com/smarty-php/smarty/releases/tag/v4.0.2", "reference_id": "v4.0.2", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:13Z/" } ], "url": "https://github.com/smarty-php/smarty/releases/tag/v4.0.2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/18657?format=api", "purl": "pkg:composer/smarty/smarty@4.0.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1vrk-mr94-huar" }, { "vulnerability": "VCID-3mxe-phrs-j7d1" }, { "vulnerability": "VCID-ke5v-yxmm-fydq" }, { "vulnerability": "VCID-ukne-sz3k-xkhf" }, { "vulnerability": "VCID-yvk2-k49u-1bat" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@4.0.2" } ], "aliases": [ "CVE-2021-29454", "GHSA-29gp-2c3m-3j6m" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-g4mk-4raf-a3bj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/169334?format=api", "vulnerability_id": "VCID-ke5v-yxmm-fydq", "summary": "Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.45 and 4.1.1, template authors could inject php code by choosing a malicious {block} name or {include} file name. Sites that cannot fully trust template authors should upgrade to versions 3.1.45 or 4.1.1 to receive a patch for this issue. There are currently no known workarounds.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-29221", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.25501", "scoring_system": "epss", "scoring_elements": "0.96362", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.25501", "scoring_system": "epss", "scoring_elements": "0.96359", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.25501", "scoring_system": "epss", "scoring_elements": "0.96357", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.25501", "scoring_system": "epss", "scoring_elements": "0.96346", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-29221" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21408", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21408" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29454", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29454" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29221", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29221" }, { "reference_url": "https://github.com/smarty-php/smarty", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI/" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011757", "reference_id": "1011757", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011757" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011758", "reference_id": "1011758", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011758" }, { "reference_url": "https://security.gentoo.org/glsa/202209-09", "reference_id": "202209-09", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:52:58Z/" } ], "url": "https://security.gentoo.org/glsa/202209-09" }, { "reference_url": "https://github.com/smarty-php/smarty/commit/64ad6442ca1da31cefdab5c9874262b702cccddd", "reference_id": "64ad6442ca1da31cefdab5c9874262b702cccddd", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:52:58Z/" } ], "url": "https://github.com/smarty-php/smarty/commit/64ad6442ca1da31cefdab5c9874262b702cccddd" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ/", "reference_id": "BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:52:58Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ/" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29221", "reference_id": "CVE-2022-29221", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29221" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2022-29221.yaml", "reference_id": "CVE-2022-29221.YAML", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2022-29221.yaml" }, { "reference_url": "https://www.debian.org/security/2022/dsa-5151", "reference_id": "dsa-5151", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:52:58Z/" } ], "url": "https://www.debian.org/security/2022/dsa-5151" }, { "reference_url": "https://github.com/advisories/GHSA-634x-pc3q-cf4c", "reference_id": "GHSA-634x-pc3q-cf4c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-634x-pc3q-cf4c" }, { "reference_url": "https://github.com/smarty-php/smarty/security/advisories/GHSA-634x-pc3q-cf4c", "reference_id": "GHSA-634x-pc3q-cf4c", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:52:58Z/" } ], "url": "https://github.com/smarty-php/smarty/security/advisories/GHSA-634x-pc3q-cf4c" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI/", "reference_id": "L777JIBIWJV34HS7LXPIDWASG7TT4LNI", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:52:58Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI/" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00044.html", "reference_id": "msg00044.html", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:52:58Z/" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00044.html" }, { "reference_url": "https://usn.ubuntu.com/6012-1/", "reference_id": "USN-6012-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6012-1/" }, { "reference_url": "https://usn.ubuntu.com/6550-1/", "reference_id": "USN-6550-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6550-1/" }, { "reference_url": "https://github.com/smarty-php/smarty/releases/tag/v3.1.45", "reference_id": "v3.1.45", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:52:58Z/" } ], "url": "https://github.com/smarty-php/smarty/releases/tag/v3.1.45" }, { "reference_url": "https://github.com/smarty-php/smarty/releases/tag/v4.1.1", "reference_id": "v4.1.1", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:52:58Z/" } ], "url": "https://github.com/smarty-php/smarty/releases/tag/v4.1.1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/24283?format=api", "purl": "pkg:composer/smarty/smarty@4.1.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1vrk-mr94-huar" }, { "vulnerability": "VCID-ukne-sz3k-xkhf" }, { "vulnerability": "VCID-yvk2-k49u-1bat" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@4.1.1" } ], "aliases": [ "CVE-2022-29221", "GHSA-634x-pc3q-cf4c" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ke5v-yxmm-fydq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/209740?format=api", "vulnerability_id": "VCID-ukne-sz3k-xkhf", "summary": "Smarty is a template engine for PHP. In affected versions smarty did not properly escape javascript code. An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application's behavior, or unauthorized actions performed on behalf of the user. Users are advised to upgrade to either version 3.1.48 or to 4.3.1 to resolve this issue. There are no known workarounds for this vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-28447", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01158", "scoring_system": "epss", "scoring_elements": "0.78983", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.01158", "scoring_system": "epss", "scoring_elements": "0.79048", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.01158", "scoring_system": "epss", "scoring_elements": "0.79063", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.01158", "scoring_system": "epss", "scoring_elements": "0.7906", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-28447" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28447", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28447" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2023-28447.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2023-28447.yaml" }, { "reference_url": "https://github.com/smarty-php/smarty", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty" }, { "reference_url": "https://github.com/smarty-php/smarty/commit/685662466f653597428966d75a661073104d713d", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty/commit/685662466f653597428966d75a661073104d713d" }, { "reference_url": "https://github.com/smarty-php/smarty/security/advisories/GHSA-7j98-h7fp-4vwj", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty/security/advisories/GHSA-7j98-h7fp-4vwj" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00013.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00013.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HSAUM3YHWHO4UCJXRGRLQGPJAO3MFOZZ", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HSAUM3YHWHO4UCJXRGRLQGPJAO3MFOZZ" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JBB35GLYTL6JL6EOM6BOZNYP47JKNNHT", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JBB35GLYTL6JL6EOM6BOZNYP47JKNNHT" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P7O7SKTATM6GAP45S64QFXNLWIY5I7HP", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P7O7SKTATM6GAP45S64QFXNLWIY5I7HP" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28447", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28447" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033964", "reference_id": "1033964", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033964" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033965", "reference_id": "1033965", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033965" }, { "reference_url": "https://github.com/advisories/GHSA-7j98-h7fp-4vwj", "reference_id": "GHSA-7j98-h7fp-4vwj", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7j98-h7fp-4vwj" }, { "reference_url": "https://usn.ubuntu.com/6550-1/", "reference_id": "USN-6550-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6550-1/" }, { "reference_url": "https://usn.ubuntu.com/7158-1/", "reference_id": "USN-7158-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7158-1/" }, { "reference_url": "https://usn.ubuntu.com/8242-1/", "reference_id": "USN-8242-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8242-1/" }, { "reference_url": "https://usn.ubuntu.com/8242-2/", "reference_id": "USN-8242-2", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8242-2/" }, { "reference_url": "https://usn.ubuntu.com/8272-1/", "reference_id": "USN-8272-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8272-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/380895?format=api", "purl": "pkg:composer/smarty/smarty@4.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-yvk2-k49u-1bat" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@4.3.1" } ], "aliases": [ "CVE-2023-28447", "GHSA-7j98-h7fp-4vwj" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ukne-sz3k-xkhf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44191?format=api", "vulnerability_id": "VCID-yvk2-k49u-1bat", "summary": "Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. In affected versions template authors could inject php code by choosing a malicious file name for an extends-tag. Sites that cannot fully trust template authors should update asap. All users are advised to update. There is no patch for users on the v3 branch. There are no known workarounds for this vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35226", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00279", "scoring_system": "epss", "scoring_elements": "0.51758", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00279", "scoring_system": "epss", "scoring_elements": "0.51761", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00279", "scoring_system": "epss", "scoring_elements": "0.51631", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00279", "scoring_system": "epss", "scoring_elements": "0.51772", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35226" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35226", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35226" }, { "reference_url": "https://github.com/smarty-php/smarty", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00013.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00013.html" }, { "reference_url": "https://github.com/smarty-php/smarty/commit/0be92bc8a6fb83e6e0d883946f7e7c09ba4e857a", "reference_id": "0be92bc8a6fb83e6e0d883946f7e7c09ba4e857a", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-03T18:08:18Z/" } ], "url": "https://github.com/smarty-php/smarty/commit/0be92bc8a6fb83e6e0d883946f7e7c09ba4e857a" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072529", "reference_id": "1072529", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072529" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072530", "reference_id": "1072530", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072530" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35226", "reference_id": "CVE-2024-35226", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35226" }, { "reference_url": "https://github.com/advisories/GHSA-4rmg-292m-wg3w", "reference_id": "GHSA-4rmg-292m-wg3w", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4rmg-292m-wg3w" }, { "reference_url": "https://github.com/smarty-php/smarty/security/advisories/GHSA-4rmg-292m-wg3w", "reference_id": "GHSA-4rmg-292m-wg3w", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-03T18:08:18Z/" } ], "url": "https://github.com/smarty-php/smarty/security/advisories/GHSA-4rmg-292m-wg3w" }, { "reference_url": "https://usn.ubuntu.com/7158-1/", "reference_id": "USN-7158-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7158-1/" }, { "reference_url": "https://usn.ubuntu.com/7377-1/", "reference_id": "USN-7377-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7377-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31754?format=api", "purl": "pkg:composer/smarty/smarty@4.5.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@4.5.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/31756?format=api", "purl": "pkg:composer/smarty/smarty@5.1.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@5.1.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/720526?format=api", "purl": "pkg:composer/smarty/smarty@5.2.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@5.2.0" } ], "aliases": [ "CVE-2024-35226", "GHSA-4rmg-292m-wg3w" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yvk2-k49u-1bat" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@4.0.0" }