Sandbox protection could be bypassed through access to an internal Smarty object that should have been blocked. Sites that rely on Smarty Security features should upgrade as soon as possible. Please upgrade to 3.1.39 or higher.

References

• GHSA-w5hr-jm4j-9jvq
• https://nvd.nist.gov/vuln/detail/CVE-2021-26119
• https://github.com/smarty-php/smarty/blob/master/CHANGELOG.md
• https://lists.debian.org/debian-lts-announce/2021/04/msg00004.html
• https://lists.debian.org/debian-lts-announce/2021/04/msg00014.html
• https://security.gentoo.org/glsa/202105-06
• https://srcincite.io/blog/2021/02/18/smarty-template-engine-multiple-sandbox-escape-vulnerabilities.html
• https://www.debian.org/security/2022/dsa-5151
• https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2021-26119.yaml