Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/215083?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/215083?format=api", "purl": "pkg:composer/smarty/smarty@3.1.25", "type": "composer", "namespace": "smarty", "name": "smarty", "version": "3.1.25", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "4.5.3", "latest_non_vulnerable_version": "5.2.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44786?format=api", "vulnerability_id": "VCID-3829-yarc-yqh3", "summary": "smarty Cross-site Scripting vulnerability in Javascript escaping\nAn attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application's behavior, or unauthorized actions performed on behalf of the user.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-28447", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01189", "scoring_system": "epss", "scoring_elements": "0.79192", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.01189", "scoring_system": "epss", "scoring_elements": "0.79187", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-28447" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28447", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28447" }, { "reference_url": "https://github.com/smarty-php/smarty", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty" }, { "reference_url": "https://github.com/smarty-php/smarty/commit/685662466f653597428966d75a661073104d713d", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty/commit/685662466f653597428966d75a661073104d713d" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00013.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00013.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HSAUM3YHWHO4UCJXRGRLQGPJAO3MFOZZ", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HSAUM3YHWHO4UCJXRGRLQGPJAO3MFOZZ" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JBB35GLYTL6JL6EOM6BOZNYP47JKNNHT", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JBB35GLYTL6JL6EOM6BOZNYP47JKNNHT" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P7O7SKTATM6GAP45S64QFXNLWIY5I7HP", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P7O7SKTATM6GAP45S64QFXNLWIY5I7HP" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033964", "reference_id": "1033964", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033964" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033965", "reference_id": "1033965", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033965" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28447", "reference_id": "CVE-2023-28447", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28447" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2023-28447.yaml", "reference_id": "CVE-2023-28447.YAML", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2023-28447.yaml" }, { "reference_url": "https://github.com/advisories/GHSA-7j98-h7fp-4vwj", "reference_id": "GHSA-7j98-h7fp-4vwj", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-7j98-h7fp-4vwj" }, { "reference_url": "https://github.com/smarty-php/smarty/security/advisories/GHSA-7j98-h7fp-4vwj", "reference_id": "GHSA-7j98-h7fp-4vwj", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty/security/advisories/GHSA-7j98-h7fp-4vwj" }, { "reference_url": "https://usn.ubuntu.com/6550-1/", "reference_id": "USN-6550-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6550-1/" }, { "reference_url": "https://usn.ubuntu.com/7158-1/", "reference_id": "USN-7158-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7158-1/" }, { "reference_url": "https://usn.ubuntu.com/8242-1/", "reference_id": "USN-8242-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8242-1/" }, { "reference_url": "https://usn.ubuntu.com/8242-2/", "reference_id": "USN-8242-2", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8242-2/" }, { "reference_url": "https://usn.ubuntu.com/8272-1/", "reference_id": "USN-8272-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8272-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64452?format=api", "purl": "pkg:composer/smarty/smarty@3.1.48", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-a3yk-8fmf-x7fw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@3.1.48" }, { "url": "http://public2.vulnerablecode.io/api/packages/64451?format=api", "purl": "pkg:composer/smarty/smarty@4.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-a3yk-8fmf-x7fw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@4.3.1" } ], "aliases": [ "CVE-2023-28447", "GHSA-7j98-h7fp-4vwj" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3829-yarc-yqh3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39251?format=api", "vulnerability_id": "VCID-3xs3-13we-6ffu", "summary": "Code Injection\nSmarty 3 is vulnerable to a PHP code injection when calling `fetch()` or `display()` functions on custom resources that does not sanitize template name.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2017-1000480", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00636", "scoring_system": "epss", "scoring_elements": "0.7084", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00636", "scoring_system": "epss", "scoring_elements": "0.7089", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00636", "scoring_system": "epss", "scoring_elements": "0.70883", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-1000480" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000480", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000480" }, { "reference_url": "https://github.com/smarty-php/smarty", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty" }, { "reference_url": "https://github.com/smarty-php/smarty/blob/master/change_log.txt", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty/blob/master/change_log.txt" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00023.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00023.html" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00000.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00000.html" }, { "reference_url": "https://www.debian.org/security/2018/dsa-4094", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.debian.org/security/2018/dsa-4094" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886460", "reference_id": "886460", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886460" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000480", "reference_id": "CVE-2017-1000480", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000480" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54799?format=api", "purl": "pkg:composer/smarty/smarty@3.1.32", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3829-yarc-yqh3" }, { "vulnerability": "VCID-4dmb-dnk6-6qdd" }, { "vulnerability": "VCID-a3yk-8fmf-x7fw" }, { "vulnerability": "VCID-d7cx-7mkv-3qhe" }, { "vulnerability": "VCID-h2k4-cqfq-sbhw" }, { "vulnerability": "VCID-jhg5-tdyz-uyh4" }, { "vulnerability": "VCID-mmfc-us8q-xbha" }, { "vulnerability": "VCID-qnee-xruu-sfb1" }, { "vulnerability": "VCID-vnb9-5w8q-r3bd" }, { "vulnerability": "VCID-xmrr-2jyf-5yhj" }, { "vulnerability": "VCID-zgxx-cfyu-1ffy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@3.1.32" }, { "url": "http://public2.vulnerablecode.io/api/packages/215090?format=api", "purl": "pkg:composer/smarty/smarty@4.3.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-a3yk-8fmf-x7fw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@4.3.3" } ], "aliases": [ "CVE-2017-1000480", "GHSA-9m49-vhwv-422g" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3xs3-13we-6ffu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/101017?format=api", "vulnerability_id": "VCID-4dmb-dnk6-6qdd", "summary": "Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.45 and 4.1.1, template authors could inject php code by choosing a malicious {block} name or {include} file name. Sites that cannot fully trust template authors should upgrade to versions 3.1.45 or 4.1.1 to receive a patch for this issue. There are currently no known workarounds.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-29221", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.25501", "scoring_system": "epss", "scoring_elements": "0.96329", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.25501", "scoring_system": "epss", "scoring_elements": "0.96333", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.25501", "scoring_system": "epss", "scoring_elements": "0.96324", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-29221" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21408", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21408" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29454", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29454" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29221", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29221" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2022-29221.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2022-29221.yaml" }, { "reference_url": "https://github.com/smarty-php/smarty", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty" }, { "reference_url": "https://github.com/smarty-php/smarty/commit/64ad6442ca1da31cefdab5c9874262b702cccddd", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:52:58Z/" } ], "url": "https://github.com/smarty-php/smarty/commit/64ad6442ca1da31cefdab5c9874262b702cccddd" }, { "reference_url": "https://github.com/smarty-php/smarty/releases/tag/v3.1.45", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:52:58Z/" } ], "url": "https://github.com/smarty-php/smarty/releases/tag/v3.1.45" }, { "reference_url": "https://github.com/smarty-php/smarty/releases/tag/v4.1.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:52:58Z/" } ], "url": "https://github.com/smarty-php/smarty/releases/tag/v4.1.1" }, { "reference_url": "https://github.com/smarty-php/smarty/security/advisories/GHSA-634x-pc3q-cf4c", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:52:58Z/" } ], "url": "https://github.com/smarty-php/smarty/security/advisories/GHSA-634x-pc3q-cf4c" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00044.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:52:58Z/" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00044.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI/" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29221", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29221" }, { "reference_url": "https://security.gentoo.org/glsa/202209-09", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:52:58Z/" } ], "url": "https://security.gentoo.org/glsa/202209-09" }, { "reference_url": "https://www.debian.org/security/2022/dsa-5151", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:52:58Z/" } ], "url": "https://www.debian.org/security/2022/dsa-5151" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011757", "reference_id": "1011757", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011757" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011758", "reference_id": "1011758", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011758" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ/", "reference_id": "BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:52:58Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ/" }, { "reference_url": "https://github.com/advisories/GHSA-634x-pc3q-cf4c", "reference_id": "GHSA-634x-pc3q-cf4c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-634x-pc3q-cf4c" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI/", "reference_id": "L777JIBIWJV34HS7LXPIDWASG7TT4LNI", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:52:58Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI/" }, { "reference_url": "https://usn.ubuntu.com/6012-1/", "reference_id": "USN-6012-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6012-1/" }, { "reference_url": "https://usn.ubuntu.com/6550-1/", "reference_id": "USN-6550-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6550-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/151845?format=api", "purl": "pkg:composer/smarty/smarty@3.1.45", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3829-yarc-yqh3" }, { "vulnerability": "VCID-a3yk-8fmf-x7fw" }, { "vulnerability": "VCID-h2k4-cqfq-sbhw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@3.1.45" }, { "url": "http://public2.vulnerablecode.io/api/packages/151846?format=api", "purl": "pkg:composer/smarty/smarty@4.1.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3829-yarc-yqh3" }, { "vulnerability": "VCID-a3yk-8fmf-x7fw" }, { "vulnerability": "VCID-h2k4-cqfq-sbhw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@4.1.1" } ], "aliases": [ "CVE-2022-29221", "GHSA-634x-pc3q-cf4c" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4dmb-dnk6-6qdd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55076?format=api", "vulnerability_id": "VCID-a3yk-8fmf-x7fw", "summary": "Smarty vulnerable to PHP Code Injection by malicious attribute in extends-tag\nTemplate authors could inject php code by choosing a malicous file name for an extends-tag. Users that cannot fully trust template authors should update asap.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35226", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00279", "scoring_system": "epss", "scoring_elements": "0.516", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00279", "scoring_system": "epss", "scoring_elements": "0.51593", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35226" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35226", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35226" }, { "reference_url": "https://github.com/smarty-php/smarty", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty" }, { "reference_url": "https://github.com/smarty-php/smarty/commit/0be92bc8a6fb83e6e0d883946f7e7c09ba4e857a", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-03T18:08:18Z/" } ], "url": "https://github.com/smarty-php/smarty/commit/0be92bc8a6fb83e6e0d883946f7e7c09ba4e857a" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00013.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00013.html" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072529", "reference_id": "1072529", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072529" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072530", "reference_id": "1072530", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072530" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35226", "reference_id": "CVE-2024-35226", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35226" }, { "reference_url": "https://github.com/advisories/GHSA-4rmg-292m-wg3w", "reference_id": "GHSA-4rmg-292m-wg3w", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4rmg-292m-wg3w" }, { "reference_url": "https://github.com/smarty-php/smarty/security/advisories/GHSA-4rmg-292m-wg3w", "reference_id": "GHSA-4rmg-292m-wg3w", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-03T18:08:18Z/" } ], "url": "https://github.com/smarty-php/smarty/security/advisories/GHSA-4rmg-292m-wg3w" }, { "reference_url": "https://usn.ubuntu.com/7158-1/", "reference_id": "USN-7158-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7158-1/" }, { "reference_url": "https://usn.ubuntu.com/7377-1/", "reference_id": "USN-7377-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7377-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/81675?format=api", "purl": "pkg:composer/smarty/smarty@4.5.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@4.5.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/81674?format=api", "purl": "pkg:composer/smarty/smarty@5.1.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@5.1.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/742527?format=api", "purl": "pkg:composer/smarty/smarty@5.2.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@5.2.0" } ], "aliases": [ "CVE-2024-35226", "GHSA-4rmg-292m-wg3w" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a3yk-8fmf-x7fw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/40249?format=api", "vulnerability_id": "VCID-d7cx-7mkv-3qhe", "summary": "Path Traversal\n`Smarty_Security::isTrustedResourceDir()` in Smarty is prone to a path traversal vulnerability due to insufficient template code sanitization. This allows attackers controlling the executed template code to bypass the trusted directory security restriction and read arbitrary files.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-13982", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02331", "scoring_system": "epss", "scoring_elements": "0.85129", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.02331", "scoring_system": "epss", "scoring_elements": "0.85158", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.02331", "scoring_system": "epss", "scoring_elements": "0.85153", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-13982" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13982", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13982" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2018-13982.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2018-13982.yaml" }, { "reference_url": "https://github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180420-01_Smarty_Path_Traversal", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180420-01_Smarty_Path_Traversal" }, { "reference_url": "https://github.com/smarty-php/smarty", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty" }, { "reference_url": "https://github.com/smarty-php/smarty/commit/2e081a51b1effddb23f87952959139ac62654d50", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty/commit/2e081a51b1effddb23f87952959139ac62654d50" }, { "reference_url": "https://github.com/smarty-php/smarty/commit/8d21f38dc35c4cd6b31c2f23fc9b8e5adbc56dfe", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty/commit/8d21f38dc35c4cd6b31c2f23fc9b8e5adbc56dfe" }, { "reference_url": "https://github.com/smarty-php/smarty/commit/bcedfd6b58bed4a7366336979ebaa5a240581531", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty/commit/bcedfd6b58bed4a7366336979ebaa5a240581531" }, { "reference_url": "https://github.com/smarty-php/smarty/commit/c9dbe1d08c081912d02bd851d1d1b6388f6133d1", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty/commit/c9dbe1d08c081912d02bd851d1d1b6388f6133d1" }, { "reference_url": "https://github.com/smarty-php/smarty/commit/f9ca3c63d1250bb56b2bda609dcc9dd81f0065f8", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty/commit/f9ca3c63d1250bb56b2bda609dcc9dd81f0065f8" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00004.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00004.html" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00014.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00014.html" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00015.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00015.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-13982", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-13982" }, { "reference_url": "https://github.com/advisories/GHSA-7gfx-wxfh-7rvm", "reference_id": "GHSA-7gfx-wxfh-7rvm", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7gfx-wxfh-7rvm" }, { "reference_url": "https://usn.ubuntu.com/5348-1/", "reference_id": "USN-5348-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/5348-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56421?format=api", "purl": "pkg:composer/smarty/smarty@3.1.33", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3829-yarc-yqh3" }, { "vulnerability": "VCID-4dmb-dnk6-6qdd" }, { "vulnerability": "VCID-a3yk-8fmf-x7fw" }, { "vulnerability": "VCID-h2k4-cqfq-sbhw" }, { "vulnerability": "VCID-jhg5-tdyz-uyh4" }, { "vulnerability": "VCID-mmfc-us8q-xbha" }, { "vulnerability": "VCID-qnee-xruu-sfb1" }, { "vulnerability": "VCID-xmrr-2jyf-5yhj" }, { "vulnerability": "VCID-zgxx-cfyu-1ffy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@3.1.33" } ], "aliases": [ "CVE-2018-13982", "GHSA-7gfx-wxfh-7rvm" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-d7cx-7mkv-3qhe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/101016?format=api", "vulnerability_id": "VCID-h2k4-cqfq-sbhw", "summary": "In Smarty before 3.1.47 and 4.x before 4.2.1, libs/plugins/function.mailto.php allows XSS. A web page that uses smarty_function_mailto, and that could be parameterized using GET or POST input parameters, could allow injection of JavaScript code by a user.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-25047", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00629", "scoring_system": "epss", "scoring_elements": "0.70701", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00629", "scoring_system": "epss", "scoring_elements": "0.70694", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00629", "scoring_system": "epss", "scoring_elements": "0.70651", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-25047" }, { "reference_url": "https://bugs.gentoo.org/870100", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://bugs.gentoo.org/870100" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25047", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25047" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2018-25047.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2018-25047.yaml" }, { "reference_url": "https://github.com/smarty-php/smarty", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty" }, { "reference_url": "https://github.com/smarty-php/smarty/commit/55ea25d1f50f0406fb1ccedd212c527977793fc9", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty/commit/55ea25d1f50f0406fb1ccedd212c527977793fc9" }, { "reference_url": "https://github.com/smarty-php/smarty/issues/454", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty/issues/454" }, { "reference_url": "https://github.com/smarty-php/smarty/releases/tag/v3.1.47", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty/releases/tag/v3.1.47" }, { "reference_url": "https://github.com/smarty-php/smarty/releases/tag/v4.2.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty/releases/tag/v4.2.1" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00002.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00002.html" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00013.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00013.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25047", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25047" }, { "reference_url": "https://security.gentoo.org/glsa/202209-09", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.gentoo.org/glsa/202209-09" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019896", "reference_id": "1019896", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019896" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019897", "reference_id": "1019897", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019897" }, { "reference_url": "https://github.com/advisories/GHSA-hwq7-5vv9-c6cf", "reference_id": "GHSA-hwq7-5vv9-c6cf", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hwq7-5vv9-c6cf" }, { "reference_url": "https://usn.ubuntu.com/7158-1/", "reference_id": "USN-7158-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7158-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/145718?format=api", "purl": "pkg:composer/smarty/smarty@3.1.47", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3829-yarc-yqh3" }, { "vulnerability": "VCID-a3yk-8fmf-x7fw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@3.1.47" }, { "url": "http://public2.vulnerablecode.io/api/packages/145720?format=api", "purl": "pkg:composer/smarty/smarty@4.2.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3829-yarc-yqh3" }, { "vulnerability": "VCID-a3yk-8fmf-x7fw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@4.2.1" } ], "aliases": [ "CVE-2018-25047", "GHSA-hwq7-5vv9-c6cf" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h2k4-cqfq-sbhw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42016?format=api", "vulnerability_id": "VCID-jhg5-tdyz-uyh4", "summary": "Improper Input Validation\nSmarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. A vulnerability was found that may allow template authors could run restricted static php methods.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21408", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0047", "scoring_system": "epss", "scoring_elements": "0.64926", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.0047", "scoring_system": "epss", "scoring_elements": "0.64978", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.0047", "scoring_system": "epss", "scoring_elements": "0.64968", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21408" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21408", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21408" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29454", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29454" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29221", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29221" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2021-21408.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2021-21408.yaml" }, { "reference_url": "https://github.com/smarty-php/smarty", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty" }, { "reference_url": "https://github.com/smarty-php/smarty/commit/19ae410bf56007a5ef24441cdc6414619cfaf664", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:17Z/" } ], "url": "https://github.com/smarty-php/smarty/commit/19ae410bf56007a5ef24441cdc6414619cfaf664" }, { "reference_url": "https://github.com/smarty-php/smarty/releases/tag/v3.1.43", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:17Z/" } ], "url": "https://github.com/smarty-php/smarty/releases/tag/v3.1.43" }, { "reference_url": "https://github.com/smarty-php/smarty/releases/tag/v4.0.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:17Z/" } ], "url": "https://github.com/smarty-php/smarty/releases/tag/v4.0.3" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00005.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:17Z/" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00005.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI/" }, { "reference_url": "https://security.gentoo.org/glsa/202209-09", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:17Z/" } ], "url": "https://security.gentoo.org/glsa/202209-09" }, { "reference_url": "https://www.debian.org/security/2022/dsa-5151", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:17Z/" } ], "url": "https://www.debian.org/security/2022/dsa-5151" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010375", "reference_id": "1010375", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010375" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ/", "reference_id": "BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:17Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ/" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21408", "reference_id": "CVE-2021-21408", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21408" }, { "reference_url": "https://github.com/advisories/GHSA-4h9c-v5vg-5m6m", "reference_id": "GHSA-4h9c-v5vg-5m6m", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4h9c-v5vg-5m6m" }, { "reference_url": "https://github.com/smarty-php/smarty/security/advisories/GHSA-4h9c-v5vg-5m6m", "reference_id": "GHSA-4h9c-v5vg-5m6m", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:17Z/" } ], "url": "https://github.com/smarty-php/smarty/security/advisories/GHSA-4h9c-v5vg-5m6m" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI/", "reference_id": "L777JIBIWJV34HS7LXPIDWASG7TT4LNI", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:17Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI/" }, { "reference_url": "https://usn.ubuntu.com/5348-1/", "reference_id": "USN-5348-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/5348-1/" }, { "reference_url": "https://usn.ubuntu.com/USN-5348-2/", "reference_id": "USN-USN-5348-2", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/USN-5348-2/" }, { "reference_url": "https://usn.ubuntu.com/USN-5348-3/", "reference_id": "USN-USN-5348-3", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/USN-5348-3/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/60089?format=api", "purl": "pkg:composer/smarty/smarty@3.1.43", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3829-yarc-yqh3" }, { "vulnerability": "VCID-4dmb-dnk6-6qdd" }, { "vulnerability": "VCID-a3yk-8fmf-x7fw" }, { "vulnerability": "VCID-h2k4-cqfq-sbhw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@3.1.43" }, { "url": "http://public2.vulnerablecode.io/api/packages/550650?format=api", "purl": "pkg:composer/smarty/smarty@4.0.0-rc.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-a3yk-8fmf-x7fw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@4.0.0-rc.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/60090?format=api", "purl": "pkg:composer/smarty/smarty@4.0.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3829-yarc-yqh3" }, { "vulnerability": "VCID-4dmb-dnk6-6qdd" }, { "vulnerability": "VCID-a3yk-8fmf-x7fw" }, { "vulnerability": "VCID-h2k4-cqfq-sbhw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@4.0.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/215090?format=api", "purl": "pkg:composer/smarty/smarty@4.3.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-a3yk-8fmf-x7fw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@4.3.3" } ], "aliases": [ "CVE-2021-21408", "GHSA-4h9c-v5vg-5m6m" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jhg5-tdyz-uyh4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42013?format=api", "vulnerability_id": "VCID-mmfc-us8q-xbha", "summary": "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')\nSmarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Template authors could run arbitrary PHP code by crafting a malicious math string. If a math string was passed through as user provided data to the math function, external users could run arbitrary PHP code by crafting a malicious math string.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-29454", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00643", "scoring_system": "epss", "scoring_elements": "0.71031", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00643", "scoring_system": "epss", "scoring_elements": "0.71081", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00643", "scoring_system": "epss", "scoring_elements": "0.71074", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-29454" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21408", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21408" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29454", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29454" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29221", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29221" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2021-29454.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2021-29454.yaml" }, { "reference_url": "https://github.com/smarty-php/smarty", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty" }, { "reference_url": "https://github.com/smarty-php/smarty/commit/215d81a9fa3cd63d82fb3ab56ecaf97cf1e7db71", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:13Z/" } ], "url": "https://github.com/smarty-php/smarty/commit/215d81a9fa3cd63d82fb3ab56ecaf97cf1e7db71" }, { "reference_url": "https://github.com/smarty-php/smarty/releases/tag/v3.1.42", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:13Z/" } ], "url": "https://github.com/smarty-php/smarty/releases/tag/v3.1.42" }, { "reference_url": "https://github.com/smarty-php/smarty/releases/tag/v4.0.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:13Z/" } ], "url": "https://github.com/smarty-php/smarty/releases/tag/v4.0.2" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00005.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:13Z/" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00005.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI/" }, { "reference_url": "https://packagist.org/packages/smarty/smarty", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:13Z/" } ], "url": "https://packagist.org/packages/smarty/smarty" }, { "reference_url": "https://security.gentoo.org/glsa/202209-09", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:13Z/" } ], "url": "https://security.gentoo.org/glsa/202209-09" }, { "reference_url": "https://www.debian.org/security/2022/dsa-5151", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:13Z/" } ], "url": "https://www.debian.org/security/2022/dsa-5151" }, { "reference_url": "https://www.smarty.net/docs/en/language.function.math.tpl", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:13Z/" } ], "url": "https://www.smarty.net/docs/en/language.function.math.tpl" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010375", "reference_id": "1010375", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010375" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ/", "reference_id": "BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:13Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ/" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29454", "reference_id": "CVE-2021-29454", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29454" }, { "reference_url": "https://github.com/advisories/GHSA-29gp-2c3m-3j6m", "reference_id": "GHSA-29gp-2c3m-3j6m", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-29gp-2c3m-3j6m" }, { "reference_url": "https://github.com/smarty-php/smarty/security/advisories/GHSA-29gp-2c3m-3j6m", "reference_id": "GHSA-29gp-2c3m-3j6m", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:13Z/" } ], "url": "https://github.com/smarty-php/smarty/security/advisories/GHSA-29gp-2c3m-3j6m" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI/", "reference_id": "L777JIBIWJV34HS7LXPIDWASG7TT4LNI", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:13Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI/" }, { "reference_url": "https://usn.ubuntu.com/5348-1/", "reference_id": "USN-5348-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/5348-1/" }, { "reference_url": "https://usn.ubuntu.com/USN-5348-2/", "reference_id": "USN-USN-5348-2", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/USN-5348-2/" }, { "reference_url": "https://usn.ubuntu.com/USN-5348-3/", "reference_id": "USN-USN-5348-3", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/USN-5348-3/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/60081?format=api", "purl": "pkg:composer/smarty/smarty@3.1.42", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3829-yarc-yqh3" }, { "vulnerability": "VCID-4dmb-dnk6-6qdd" }, { "vulnerability": "VCID-a3yk-8fmf-x7fw" }, { "vulnerability": "VCID-h2k4-cqfq-sbhw" }, { "vulnerability": "VCID-jhg5-tdyz-uyh4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@3.1.42" }, { "url": "http://public2.vulnerablecode.io/api/packages/60082?format=api", "purl": "pkg:composer/smarty/smarty@4.0.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3829-yarc-yqh3" }, { "vulnerability": "VCID-4dmb-dnk6-6qdd" }, { "vulnerability": "VCID-a3yk-8fmf-x7fw" }, { "vulnerability": "VCID-h2k4-cqfq-sbhw" }, { "vulnerability": "VCID-jhg5-tdyz-uyh4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@4.0.2" } ], "aliases": [ "CVE-2021-29454", "GHSA-29gp-2c3m-3j6m" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mmfc-us8q-xbha" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46112?format=api", "vulnerability_id": "VCID-qnee-xruu-sfb1", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nAuth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in PressPage Entertainment Inc. Smarty for WordPress plugin <= 3.1.35 versions.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-41661", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.2525", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25234", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-41661" }, { "reference_url": "https://patchstack.com/database/vulnerability/smarty-for-wordpress/wordpress-smarty-for-wordpress-plugin-3-1-35-cross-site-scripting-xss-vulnerability?_s_id=cve", "reference_id": "", "reference_type": "", "scores": [], "url": "https://patchstack.com/database/vulnerability/smarty-for-wordpress/wordpress-smarty-for-wordpress-plugin-3-1-35-cross-site-scripting-xss-vulnerability?_s_id=cve" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41661", "reference_id": "CVE-2023-41661", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41661" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/67148?format=api", "purl": "pkg:composer/smarty/smarty@3.1.36", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3829-yarc-yqh3" }, { "vulnerability": "VCID-4dmb-dnk6-6qdd" }, { "vulnerability": "VCID-a3yk-8fmf-x7fw" }, { "vulnerability": "VCID-h2k4-cqfq-sbhw" }, { "vulnerability": "VCID-jhg5-tdyz-uyh4" }, { "vulnerability": "VCID-mmfc-us8q-xbha" }, { "vulnerability": "VCID-xmrr-2jyf-5yhj" }, { "vulnerability": "VCID-zgxx-cfyu-1ffy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@3.1.36" } ], "aliases": [ "CVE-2023-41661" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qnee-xruu-sfb1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/40226?format=api", "vulnerability_id": "VCID-vnb9-5w8q-r3bd", "summary": "Path Traversal\nSmarty allows attackers to bypass the `trusted_dir` protection mechanism via a `/../` substring in an `include` statement.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-16831", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00359", "scoring_system": "epss", "scoring_elements": "0.58445", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00359", "scoring_system": "epss", "scoring_elements": "0.58436", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00359", "scoring_system": "epss", "scoring_elements": "0.58389", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-16831" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16831", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16831" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2018-16831.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2018-16831.yaml" }, { "reference_url": "https://github.com/smarty-php/smarty", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty" }, { "reference_url": "https://github.com/smarty-php/smarty/commit/f9ca3c63d1250bb56b2bda609dcc9dd81f0065f8", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty/commit/f9ca3c63d1250bb56b2bda609dcc9dd81f0065f8" }, { "reference_url": "https://github.com/smarty-php/smarty/issues/486", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty/issues/486" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908698", "reference_id": "908698", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908698" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16831", "reference_id": "CVE-2018-16831", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16831" }, { "reference_url": "https://usn.ubuntu.com/5348-1/", "reference_id": "USN-5348-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/5348-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56421?format=api", "purl": "pkg:composer/smarty/smarty@3.1.33", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3829-yarc-yqh3" }, { "vulnerability": "VCID-4dmb-dnk6-6qdd" }, { "vulnerability": "VCID-a3yk-8fmf-x7fw" }, { "vulnerability": "VCID-h2k4-cqfq-sbhw" }, { "vulnerability": "VCID-jhg5-tdyz-uyh4" }, { "vulnerability": "VCID-mmfc-us8q-xbha" }, { "vulnerability": "VCID-qnee-xruu-sfb1" }, { "vulnerability": "VCID-xmrr-2jyf-5yhj" }, { "vulnerability": "VCID-zgxx-cfyu-1ffy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@3.1.33" }, { "url": "http://public2.vulnerablecode.io/api/packages/215090?format=api", "purl": "pkg:composer/smarty/smarty@4.3.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-a3yk-8fmf-x7fw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@4.3.3" } ], "aliases": [ "CVE-2018-16831", "GHSA-65j5-vpm7-6xp4" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vnb9-5w8q-r3bd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54095?format=api", "vulnerability_id": "VCID-xmrr-2jyf-5yhj", "summary": "Code Injection\nSmarty allows code injection via an unexpected function name after a `{function name=` substring.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-26120", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.7558", "scoring_system": "epss", "scoring_elements": "0.98916", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.7558", "scoring_system": "epss", "scoring_elements": "0.98919", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.7558", "scoring_system": "epss", "scoring_elements": "0.98918", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-26120" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26120", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26120" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2021-26120.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2021-26120.yaml" }, { "reference_url": "https://github.com/smarty-php/smarty", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty" }, { "reference_url": "https://github.com/smarty-php/smarty/blob/master/CHANGELOG.md", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty/blob/master/CHANGELOG.md" }, { "reference_url": "https://github.com/smarty-php/smarty/blob/master/CHANGELOG.md#3139---2021-02-17", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty/blob/master/CHANGELOG.md#3139---2021-02-17" }, { "reference_url": "https://github.com/smarty-php/smarty/commit/165f1bd4d2eec328cfeaca517a725b46001de838", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty/commit/165f1bd4d2eec328cfeaca517a725b46001de838" }, { "reference_url": "https://github.com/smarty-php/smarty/security/advisories/GHSA-3rpf-5rqv-689q", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty/security/advisories/GHSA-3rpf-5rqv-689q" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00004.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00004.html" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00014.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00014.html" }, { "reference_url": "https://security.gentoo.org/glsa/202105-06", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.gentoo.org/glsa/202105-06" }, { "reference_url": "https://srcincite.io/blog/2021/02/18/smarty-template-engine-multiple-sandbox-escape-vulnerabilities.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://srcincite.io/blog/2021/02/18/smarty-template-engine-multiple-sandbox-escape-vulnerabilities.html" }, { "reference_url": "https://www.debian.org/security/2022/dsa-5151", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.debian.org/security/2022/dsa-5151" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26120", "reference_id": "CVE-2021-26120", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26120" }, { "reference_url": "https://usn.ubuntu.com/5348-1/", "reference_id": "USN-5348-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/5348-1/" }, { "reference_url": "https://usn.ubuntu.com/USN-5348-2/", "reference_id": "USN-USN-5348-2", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/USN-5348-2/" }, { "reference_url": "https://usn.ubuntu.com/USN-5348-3/", "reference_id": "USN-USN-5348-3", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/USN-5348-3/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/79805?format=api", "purl": "pkg:composer/smarty/smarty@3.1.39", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3829-yarc-yqh3" }, { "vulnerability": "VCID-4dmb-dnk6-6qdd" }, { "vulnerability": "VCID-a3yk-8fmf-x7fw" }, { "vulnerability": "VCID-h2k4-cqfq-sbhw" }, { "vulnerability": "VCID-jhg5-tdyz-uyh4" }, { "vulnerability": "VCID-mmfc-us8q-xbha" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@3.1.39" } ], "aliases": [ "CVE-2021-26120", "GHSA-3rpf-5rqv-689q" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xmrr-2jyf-5yhj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54097?format=api", "vulnerability_id": "VCID-zgxx-cfyu-1ffy", "summary": "Trust Boundary Violation\nSmarty allows a Sandbox Escape because `$smarty.template_object` can be accessed in sandbox mode.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-26119", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.62613", "scoring_system": "epss", "scoring_elements": "0.98401", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.62613", "scoring_system": "epss", "scoring_elements": "0.98399", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.62613", "scoring_system": "epss", "scoring_elements": "0.98396", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-26119" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26119", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26119" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2021-26119.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2021-26119.yaml" }, { "reference_url": "https://github.com/smarty-php/smarty", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty" }, { "reference_url": "https://github.com/smarty-php/smarty/blob/master/CHANGELOG.md", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty/blob/master/CHANGELOG.md" }, { "reference_url": "https://github.com/smarty-php/smarty/security/advisories/GHSA-w5hr-jm4j-9jvq", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/smarty-php/smarty/security/advisories/GHSA-w5hr-jm4j-9jvq" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00004.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00004.html" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00014.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00014.html" }, { "reference_url": "https://security.gentoo.org/glsa/202105-06", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.gentoo.org/glsa/202105-06" }, { "reference_url": "https://srcincite.io/blog/2021/02/18/smarty-template-engine-multiple-sandbox-escape-vulnerabilities.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://srcincite.io/blog/2021/02/18/smarty-template-engine-multiple-sandbox-escape-vulnerabilities.html" }, { "reference_url": "https://www.debian.org/security/2022/dsa-5151", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.debian.org/security/2022/dsa-5151" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26119", "reference_id": "CVE-2021-26119", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26119" }, { "reference_url": "https://usn.ubuntu.com/5348-1/", "reference_id": "USN-5348-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/5348-1/" }, { "reference_url": "https://usn.ubuntu.com/USN-5348-2/", "reference_id": "USN-USN-5348-2", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/USN-5348-2/" }, { "reference_url": "https://usn.ubuntu.com/USN-5348-3/", "reference_id": "USN-USN-5348-3", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/USN-5348-3/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/79805?format=api", "purl": "pkg:composer/smarty/smarty@3.1.39", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3829-yarc-yqh3" }, { "vulnerability": "VCID-4dmb-dnk6-6qdd" }, { "vulnerability": "VCID-a3yk-8fmf-x7fw" }, { "vulnerability": "VCID-h2k4-cqfq-sbhw" }, { "vulnerability": "VCID-jhg5-tdyz-uyh4" }, { "vulnerability": "VCID-mmfc-us8q-xbha" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@3.1.39" } ], "aliases": [ "CVE-2021-26119", "GHSA-w5hr-jm4j-9jvq" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zgxx-cfyu-1ffy" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@3.1.25" }