Twig
Monthly
Sandbox bypass in Twig template engine versions 2.16.x and 3.9.0 through 3.25.x allows attackers with template rendering capabilities to execute arbitrary PHP code when the sandbox is enabled via a SourcePolicyInterface rather than globally. The runtime check on sort, filter, map, and reduce filters fails to propagate the current template source, allowing arbitrary PHP callables to be passed and executed. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the RCE/PHP tagging and CVSS 4.0 score of 8.7 indicate high impact for applications offering user-editable templates.
Twig is a template language for PHP. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Twig is a template language for PHP. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.
A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required.
Twig before 2.4.4 allows Server-Side Template Injection (SSTI) via the search search_key parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
The displayBlock function Template.php in Sensio Labs Twig before 1.20.0, when Sandbox mode is enabled, allows remote attackers to execute arbitrary code via the _self variable in a template. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable.
Sandbox bypass in Twig template engine versions 2.16.x and 3.9.0 through 3.25.x allows attackers with template rendering capabilities to execute arbitrary PHP code when the sandbox is enabled via a SourcePolicyInterface rather than globally. The runtime check on sort, filter, map, and reduce filters fails to propagate the current template source, allowing arbitrary PHP callables to be passed and executed. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the RCE/PHP tagging and CVSS 4.0 score of 8.7 indicate high impact for applications offering user-editable templates.
Twig is a template language for PHP. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Twig is a template language for PHP. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.
A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required.
Twig before 2.4.4 allows Server-Side Template Injection (SSTI) via the search search_key parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
The displayBlock function Template.php in Sensio Labs Twig before 1.20.0, when Sandbox mode is enabled, allows remote attackers to execute arbitrary code via the _self variable in a template. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable.