Vulnerability in N/a

CVE-2021-26120

Smarty before 3.1.39 allows code injection via an unexpected function name after a {function name= substring.

EPSS: 0.756 (98.9th percentile) — read the EPSS interpretation.

Affected products

N/a — versions n/a

Public proof-of-concept exploits

References

github.com/smarty-php/smarty/blob/master/CHANGELOG.md (x_refsource_MISC)
[debian-lts-announce] 20210405 [SECURITY] [DLA 2618-1] smarty3 security update (mailing-list, x_refsource_MLIST)
[debian-lts-announce] 20210416 [SECURITY] [DLA 2618-2] smarty3 regression update (mailing-list, x_refsource_MLIST)
GLSA-202105-06 (vendor-advisory, x_refsource_GENTOO)
DSA-5151 (vendor-advisory, x_refsource_DEBIAN)

Frequently asked questions

What is CVE-2021-26120?: CVE-2021-26120 is a vulnerability in N/a. Published 2021-02-22.
Is CVE-2021-26120 known to be exploited?: 6 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.