It was discovered that Smarty did not correctly filter certain math inputs. A remote attacker using Smarty via a web service could exploit this to execute subsets of shell commands as the web server user.