Known Vulnerabilities for products from Smarty

Listed below are 20 of the newest known vulnerabilities associated with the vendor "Smarty".

These CVEs are retrieved based on exact matches on listed vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed vendor information are still displayed.

Data on known vulnerable products is also displayed based on information from known CPEs, each product links to its respective vulnerability page.

Known Vulnerabilities

CVE Shortened Description Severity Publish Date Last Modified
CVE-2026-56785 json Not Provided 2026-06-23 2026-06-24
CVE-2026-54390 json Not Provided 2026-06-18 2026-06-23
CVE-2026-50745 json Not Provided 2026-06-26 2026-06-26
CVE-2026-45714 json Not Provided 2026-05-13 2026-05-14
CVE-2026-44377 json Not Provided 2026-05-13 2026-05-14
CVE-2026-14453 json Not Provided 2026-07-13 2026-07-13
CVE-2023-41661 json Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in PressPage Entertainment Inc. Smarty for WordPress plugin <=... 4.8 - MEDIUM 2023-09-29 2023-10-02
CVE-2023-28447 json Smarty is a template engine for PHP. In affected versions smarty did not properly escape javascript code. An attacker could e... 6.1 - MEDIUM 2023-03-28 2024-02-01
CVE-2022-29221 json Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to ... 8.8 - HIGH 2022-05-24 2023-11-07
CVE-2021-29454 json Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to ... 8.8 - HIGH 2022-01-10 2023-11-07
CVE-2021-26120 json Smarty before 3.1.39 allows code injection via an unexpected function name after a {function name= substring. 9.8 - CRITICAL 2021-02-22 2022-10-14
CVE-2021-26119 json Smarty before 3.1.39 allows a Sandbox Escape because $smarty.template_object can be accessed in sandbox mode. 7.5 - HIGH 2021-02-22 2022-10-14
CVE-2021-21408 json Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to ... 8.8 - HIGH 2022-01-10 2023-11-07
CVE-2018-25047 json In Smarty before 3.1.47 and 4.x before 4.2.1, libs/plugins/function.mailto.php allows XSS. A web page that uses smarty_functi... 5.4 - MEDIUM 2022-09-15 2023-03-03
CVE-2018-16831 json Smarty before 3.1.33-dev-4 allows attackers to bypass the trusted_dir protection mechanism via a file:./../ substring in an i... 5.9 - MEDIUM 2018-09-11 2018-11-16
CVE-2018-13982 json Smarty_Security::isTrustedResourceDir() in Smarty before 3.1.33 is prone to a path traversal vulnerability due to insufficien... 7.5 - HIGH 2018-09-18 2021-11-02
CVE-2017-1000480 json Smarty 3 before 3.1.32 is vulnerable to a PHP code injection when calling fetch() or display() functions on custom resources ... 9.8 - CRITICAL 2018-01-03 2018-02-04
CVE-2014-8350 json Smarty before 3.1.21 allows remote attackers to bypass the secure mode restrictions and execute arbitrary PHP code as demonst... Not Provided 2014-11-03 2026-05-06
CVE-2012-4437 json Cross-site scripting (XSS) vulnerability in the SmartyException class in Smarty (aka smarty-php) before 3.1.12 allows remote ... Not Provided 2012-10-01 2026-04-29
CVE-2012-4277 json Cross-site scripting (XSS) vulnerability in the smarty_function_html_options_optoutput function in distribution/libs/plugins/... Not Provided 2012-08-13 2026-04-29

Known software with vulnerabilities from Smarty

Type Vendor Product Version
ApplicationSmartySmarty1.0
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report