The $smarty.template variable in Smarty3 allows attackers to possibly execute arbitrary PHP code via the sysplugins/smarty_internal_compile_private_special_variable.php file.
[
{
"product": "smarty3",
"vendor": "smarty3",
"versions": [
{
"status": "affected",
"version": "3"
}
]
}
]