A vulnerability has been identified and corrected in php-smarty: The _expand_quoted_text function in libs/Smarty_Compiler.class.php in Smarty 2.6.20 before r2797 allows remote attackers to execute arbitrary PHP code via vectors related to templates and a dollar-sign character, aka php executed in templates