CVE-2021-21408 HIGH

CVE-2021-21408: Access to restricted PHP code by dynamic static class access in smarty

Vendor Smarty-Php

Product smarty

Weakness CWE-20 · Input validation

Published January 10, 2022

Last update April 23, 2025

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.43 and 4.0.3, template authors could run restricted static php methods. Users should upgrade to version 3.1.43 or 4.0.3 to receive a patch.

Key dates

02Disclosure timeline

January 10, 2022 CVE published

April 23, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-21408

Related vulnerabilities

Identifiers

CVE CVE-2021-21408

CWE CWE-20

CVSS 8.8 / HIGH

Affected versions

Vendor Smarty-Php

Product smarty

Affected < 3.1.43

Vendor Smarty-Php

Product smarty

Affected >= 4.0.0, < 4.0.3

CVE-2021-21408: Access to restricted PHP code by dynamic static class access in smarty

01Description

02Disclosure timeline

03References

04Related CVE