This site uses cookies to enhance your experience.  By continuing to visit this website, you consent to the use of these cookies. Click here to learn more about our privacy policy.

Sanfor Technologies Blog Background Image

PHP Smarty Sandbox Escape Vulnerability CVE-2021-26119



Introduction to Components

Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from the application logic (PHP). This is important in collaborative projects or where the application programmer and the template designer are not the same person.


The Sangfor Security Team has verified the Smarty sandbox escape vulnerability CVE-2021-26119, classified as critical.

CVE-2021-26119 vulnerability allows a Sandbox Escape because $smarty.template_object can be accessed in sandbox mode. The vulnerability is found in template files compiled and generated by the engine using the Smarty_Internal_Runtime_TplFunction template. Attackers can exploit this vulnerability to construct malicious data with permission, and ultimately cause remote code execution.



The Sangfor Security Team established the environment of Smarty 3.1.38 and successfully reproduce this vulnerability as follows:


Smarty is a well-known template engine written in PHP. There are tens of thousands of unique visitors on the Smarty website daily.

Affected Versions:

Smarty 3.1.38 and earlier versions


Feb 18, 2021 Sangfor FarSight Labs detected that Smarty released a security patch.
Feb 25, 2021 Sangfor FarSight Labs reproduced this vulnerability successfully and released solutions.

Learn More

Sangfor FarSight Labs researches the latest and unknown zero-day vulnerabilities and threats, alerting customers to vulnerabilities that can pose threats to their organizations, and providing solutions as soon as possible with actionable intelligence. Sangfor FarSight Labs works with other security vendors and the security community at large to identify and verify global cyberthreats so our customers can be protected from them as quickly as possible.

Remediation Solution

Smarty has released a new version to fix this vulnerability. Please download it from the following link:

Sangfor Solution

  1. For Sangfor NGAF customers, click Update on Security Capability Update.
  2. Sangfor Cloud WAF has automatically updated its database in the cloud. Users are already protected from this vulnerability without any additional operation required.
  3. Sangfor Cyber Command detects attacks which exploit this vulnerability and can alert users in real time. Users can integrate Cyber Command with NGAF to block an attacker's IP address.
  4. Sangfor SOC has Sangfor security specialists available 24/7 to help you resolve any security issues. After rule update release, Sangfor security experts check and update the customer's vulnerability detection equipment and perform a vulnerability scan of the customer's network environment to ensure that the customer's host is free from this vulnerability. For users with vulnerabilities, the SOC regularly reviews and updates device policies to ensure protection against this vulnerability.