Intel

AIKIDO-2026-719762

smarty/smarty is vulnerable to Path Traversal

Path Traversal Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 3 days ago

65

Medium Risk

This Affects:

PHPsmarty/smarty
3.1.11 - 5.8.3
Fixed in 5.8.4
Are you affected? Scan for Free

TL;DR

The built-in stream: template resource in smarty/smarty opens the nested stream wrapper with fopen() without validating it against the configured security policy. Because the stream resource handler is matched before the wrapper allowlist check runs, a template resource such as stream:php://filter/... reaches the underlying php:// wrapper even when Security::$streams restricts or disables stream access. This lets untrusted template input bypass the sandbox and read arbitrary local files. The fix parses the wrapper scheme from the resolved path and validates it with isTrustedStream() before opening the stream.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application relies on the Smarty security policy to sandbox untrusted templates.

Background info

smarty/smarty is vulnerable to Path Traversal in versions 3.1.11 - 5.8.3.

How to fix this

Upgrade the smarty/smarty library to the patch version.