Cross-site scripting (XSS) vulnerability in the template module in SmartyCMS 0.9.4 allows remote attackers to inject arbitrary web script or HTML via the title bar.