cbcvebase.
CVE-2024-45411
published 2024-09-09

CVE-2024-45411: Twig is a template language for PHP. Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the…

PriorityP346high8.6CVSS 3.1
AVNACLPRNUINSCCNIHAN
EPSS
0.83%
52.8th percentile
Twig is a template language for PHP. Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. This vulnerability is fixed in 1.44.8, 2.16.1, and 3.14.0.

Affected

12 ranges
VendorProductVersion rangeFixed in
debianphp-twig< php-twig 3.5.1-1+deb12u1 (bookworm)php-twig 3.5.1-1+deb12u1 (bookworm)
symfonytwig>= 1.0.0 < 1.44.81.44.8
symfonytwig>= 2.0.0 < 2.16.12.16.1
symfonytwig>= 3.0.0 < 3.14.03.14.0
twigtwig>= 0 < 3.26.03.26.0
twigtwig>= 1.0.0 < 1.44.81.44.8
twigtwig>= 2.0.0 < 2.16.12.16.1
twigtwig>= 3.0.0 < 3.11.13.11.1
twigtwig>= 3.12.0 < 3.14.03.14.0
twigphptwig
twigphptwig
twigphptwig

CVSS provenance

nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
ghsa8.6HIGH
osv8.6HIGH
vendor_debian8.5HIGH
vendor_ubuntu8.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.