Smarty contains a flaw that may allow a remote attacker to execute arbitrary PHP code. The issue is due to the regex_replace modifier being called insecurely from templates. With a specially crafted request, an attacker can execute arbitrary code even with template security enabled.
Upgrade to version 2.6.8 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.