Your submission was sent successfully! Close

CVE-2021-26120

Published: 22 February 2021

Smarty before 3.1.39 allows code injection via an unexpected function name after a {function name= substring.

Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
smarty3
Launchpad, Ubuntu, Debian
bionic
Released (3.1.31+20161214.1.c7d42e4+selfpack1-3ubuntu0.1)
focal Needed

groovy Ignored
(reached end-of-life)
hirsute Ignored
(reached end-of-life)
impish Not vulnerable
(3.1.39-2)
jammy Not vulnerable
(3.1.39-2)
precise Does not exist

trusty Does not exist

upstream
Released (3.1.39)
xenial Ignored
(end of standard support, was needed)
Patches:
upstream: https://github.com/smarty-php/smarty/commit/4f634c0097ab4a8b2adc2a97caacd1676e88f9c8