It was discovered that the regex module in Smarty, a PHP templating engine, allows attackers to call arbitrary PHP functions via templates using the regex_replace plugin by a specially crafted search string.