Smarty before 3.1.39 allows code injection via an unexpected function name after a {function name= substring.

By admin