CVE-2017-1000480

Smarty 3 before 3.1.32 is vulnerable to a PHP code injection when calling fetch() or display() functions on custom resources that does not sanitize template name.

Date published : 2018-01-03

https://www.debian.org/security/2018/dsa-4094

https://github.com/smarty-php/smarty/blob/master/change_log.txt