A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required.
Information Disclosure
Twig
Debian Linux
NVD
GitHub
CVSS 3.1
3.7
EPSS
1.4%