Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-ukne-sz3k-xkhf
Vulnerability ID VCID-ukne-sz3k-xkhf
Aliases CVE-2023-28447
GHSA-7j98-h7fp-4vwj
Summary Smarty is a template engine for PHP. In affected versions smarty did not properly escape javascript code. An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application's behavior, or unauthorized actions performed on behalf of the user. Users are advised to upgrade to either version 3.1.48 or to 4.3.1 to resolve this issue. There are no known workarounds for this vulnerability.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.01158 https://api.first.org/data/v1/epss?cve=CVE-2023-28447
epss 0.01158 https://api.first.org/data/v1/epss?cve=CVE-2023-28447
epss 0.01158 https://api.first.org/data/v1/epss?cve=CVE-2023-28447
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-7j98-h7fp-4vwj
cvssv3.1 7.1 https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2023-28447.yaml
generic_textual HIGH https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2023-28447.yaml
cvssv3.1 7.1 https://github.com/smarty-php/smarty
generic_textual HIGH https://github.com/smarty-php/smarty
cvssv3.1 7.1 https://github.com/smarty-php/smarty/commit/685662466f653597428966d75a661073104d713d
generic_textual HIGH https://github.com/smarty-php/smarty/commit/685662466f653597428966d75a661073104d713d
cvssv3.1 7.1 https://github.com/smarty-php/smarty/security/advisories/GHSA-7j98-h7fp-4vwj
cvssv3.1_qr HIGH https://github.com/smarty-php/smarty/security/advisories/GHSA-7j98-h7fp-4vwj
generic_textual HIGH https://github.com/smarty-php/smarty/security/advisories/GHSA-7j98-h7fp-4vwj
cvssv3.1 7.1 https://lists.debian.org/debian-lts-announce/2024/11/msg00013.html
generic_textual HIGH https://lists.debian.org/debian-lts-announce/2024/11/msg00013.html
cvssv3.1 7.1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HSAUM3YHWHO4UCJXRGRLQGPJAO3MFOZZ
generic_textual HIGH https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HSAUM3YHWHO4UCJXRGRLQGPJAO3MFOZZ
cvssv3.1 7.1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JBB35GLYTL6JL6EOM6BOZNYP47JKNNHT
generic_textual HIGH https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JBB35GLYTL6JL6EOM6BOZNYP47JKNNHT
cvssv3.1 7.1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P7O7SKTATM6GAP45S64QFXNLWIY5I7HP
generic_textual HIGH https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P7O7SKTATM6GAP45S64QFXNLWIY5I7HP
cvssv3.1 7.1 https://nvd.nist.gov/vuln/detail/CVE-2023-28447
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2023-28447
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2023-28447
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28447
https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2023-28447.yaml
https://github.com/smarty-php/smarty
https://github.com/smarty-php/smarty/commit/685662466f653597428966d75a661073104d713d
https://github.com/smarty-php/smarty/security/advisories/GHSA-7j98-h7fp-4vwj
https://lists.debian.org/debian-lts-announce/2024/11/msg00013.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HSAUM3YHWHO4UCJXRGRLQGPJAO3MFOZZ
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JBB35GLYTL6JL6EOM6BOZNYP47JKNNHT
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P7O7SKTATM6GAP45S64QFXNLWIY5I7HP
https://nvd.nist.gov/vuln/detail/CVE-2023-28447
1033964 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033964
1033965 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033965
GHSA-7j98-h7fp-4vwj https://github.com/advisories/GHSA-7j98-h7fp-4vwj
USN-6550-1 https://usn.ubuntu.com/6550-1/
USN-7158-1 https://usn.ubuntu.com/7158-1/
USN-8242-1 https://usn.ubuntu.com/8242-1/
USN-8242-2 https://usn.ubuntu.com/8242-2/
USN-8272-1 https://usn.ubuntu.com/8272-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2023-28447.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L Found at https://github.com/smarty-php/smarty
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L Found at https://github.com/smarty-php/smarty/commit/685662466f653597428966d75a661073104d713d
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L Found at https://github.com/smarty-php/smarty/security/advisories/GHSA-7j98-h7fp-4vwj
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L Found at https://lists.debian.org/debian-lts-announce/2024/11/msg00013.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HSAUM3YHWHO4UCJXRGRLQGPJAO3MFOZZ
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JBB35GLYTL6JL6EOM6BOZNYP47JKNNHT
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P7O7SKTATM6GAP45S64QFXNLWIY5I7HP
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2023-28447
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.78983
EPSS Score 0.01158
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T20:30:07.034630+00:00 Debian Oval Importer Import https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.6.0