Skip to main content

Twig

7 CVEs product

Monthly

CVE-2026-24425 PHP HIGH PATCH GHSA This Week

Sandbox bypass in Twig template engine versions 2.16.x and 3.9.0 through 3.25.x allows attackers with template rendering capabilities to execute arbitrary PHP code when the sandbox is enabled via a SourcePolicyInterface rather than globally. The runtime check on sort, filter, map, and reduce filters fails to propagate the current template source, allowing arbitrary PHP callables to be passed and executed. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the RCE/PHP tagging and CVSS 4.0 score of 8.7 indicate high impact for applications offering user-editable templates.

PHP RCE Twig
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2024-45411 PHP HIGH PATCH This Week

Twig is a template language for PHP. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Twig
NVD GitHub
CVSS 3.1
8.6
EPSS
0.8%
CVE-2023-46734 PHP MEDIUM PATCH This Month

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

PHP XSS Symfony Twig
NVD GitHub
CVSS 3.1
6.1
EPSS
0.7%
CVE-2022-39261 PHP HIGH PATCH This Week

Twig is a template language for PHP. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Twig Drupal Fedora Debian Linux
NVD GitHub
CVSS 3.1
7.5
EPSS
1.6%
CVE-2019-9942 PHP LOW PATCH Monitor

A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Twig Debian Linux
NVD GitHub
CVSS 3.1
3.7
EPSS
1.4%
CVE-2018-13818 CRITICAL POC PATCH Act Now

Twig before 2.4.4 allows Server-Side Template Injection (SSTI) via the search search_key parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection RCE Twig
NVD GitHub Exploit-DB
CVSS 3.0
9.8
EPSS
7.0%
CVE-2015-7809 PHP MEDIUM PATCH This Month

The displayBlock function Template.php in Sensio Labs Twig before 1.20.0, when Sandbox mode is enabled, allows remote attackers to execute arbitrary code via the _self variable in a template. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable.

RCE PHP Privilege Escalation Twig
NVD GitHub
CVSS 2.0
6.8
EPSS
2.0%
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Sandbox bypass in Twig template engine versions 2.16.x and 3.9.0 through 3.25.x allows attackers with template rendering capabilities to execute arbitrary PHP code when the sandbox is enabled via a SourcePolicyInterface rather than globally. The runtime check on sort, filter, map, and reduce filters fails to propagate the current template source, allowing arbitrary PHP callables to be passed and executed. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the RCE/PHP tagging and CVSS 4.0 score of 8.7 indicate high impact for applications offering user-editable templates.

PHP RCE Twig
NVD GitHub VulDB
EPSS 1% CVSS 8.6
HIGH PATCH This Week

Twig is a template language for PHP. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Twig
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

PHP XSS Symfony +1
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Twig is a template language for PHP. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Twig Drupal +2
NVD GitHub
EPSS 1% CVSS 3.7
LOW PATCH Monitor

A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Twig Debian Linux
NVD GitHub
EPSS 7% CVSS 9.8
CRITICAL POC PATCH Act Now

Twig before 2.4.4 allows Server-Side Template Injection (SSTI) via the search search_key parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection RCE Twig
NVD GitHub Exploit-DB
EPSS 2% CVSS 6.8
MEDIUM PATCH This Month

The displayBlock function Template.php in Sensio Labs Twig before 1.20.0, when Sandbox mode is enabled, allows remote attackers to execute arbitrary code via the _self variable in a template. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable.

RCE PHP Privilege Escalation +1
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy