-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| smarty/smarty | composer | < 3.1.47 | 3.1.47 |
| smarty/smarty | composer | >= 4.0.0, < 4.2.1 | 4.2.1 |
PHPPHPMiggo AIRoot Cause AnalysisThe commit diff shows the vulnerable function added htmlspecialchars() escaping to the address/text parameters in the mailto link generation. Prior to this fix, parameters were directly interpolated into HTML/JS contexts without proper encoding. The CVE description explicitly states the mailto plugin's handling of user parameters was the attack vector, and the GitHub issue #454 demonstrates a working XSS payload exploiting this lack of escaping.
Ongoing coverage of React2Shell