The _expand_quoted_text function in libs/Smarty_Compiler.class.php in Smarty 2.6.20 r2797 and earlier allows remote attackers to execute arbitrary PHP code via vectors related to templates and a \ (backslash) before a dollar-sign character.

More... (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4811)