cbcvebase.
CVE-2024-51754
published 2024-11-06

CVE-2024-51754: Twig is a template language for PHP. In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the…

PriorityP410low2.2CVSS 3.1
AVNACHPRHUINSUCLINAN
EPSS
0.44%
35.2th percentile
Twig is a template language for PHP. In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.

Affected

5 ranges
VendorProductVersion rangeFixed in
debianphp-twig< php-twig 2.14.3-1+deb11u4 (bullseye)php-twig 2.14.3-1+deb11u4 (bullseye)
twigtwig>= 0 < 3.11.23.11.2
twigtwig>= 3.12 < 3.14.13.14.1
twigphptwig< 3.11.23.11.2
twigphptwig

CVSS provenance

nvdv3.12.2LOWCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N
osv8.6HIGH
vendor_ubuntu8.5HIGH
vendor_debian2.2LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.