Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed by the security policy in place.
AnalysisAI
A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required.
Technical ContextAI
A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed by the security policy in place. Affected products include: Symfony Twig, Debian Debian Linux. Version information: before 1.38.0.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Twig before 2.4.4 allows Server-Side Template Injection (SSTI) via the search search_key parameter. Rated critical sever
Sandbox bypass in Twig template engine versions 2.16.x and 3.9.0 through 3.25.x allows attackers with template rendering
Twig is a template language for PHP. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no auth
Twig is a template language for PHP. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no auth
The displayBlock function Template.php in Sensio Labs Twig before 1.20.0, when Sandbox mode is enabled, allows remote at
Twig is a template language for PHP. Prior to 3.26.0, the Twig sandbox does not prevent a template from consuming CPU, m
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Rated medium severity
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today