Twigphp Twig vulnerabilities

6 known vulnerabilities affecting twigphp/twig.

Total CVEs
6
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH2MEDIUM1LOW2

Vulnerabilities

Page 1 of 1
CVE-2025-24374MEDIUMCVSS 4.3v>= 3.16.0, < 3.19.02025-01-29
CVE-2025-24374 [MEDIUM] CWE-74 CVE-2025-24374: Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0.
cvelistv5nvd
CVE-2024-51755LOWCVSS 2.2fixed in 3.11.2v>= 3.12.0, < 3.14.12024-11-06
CVE-2024-51755 [LOW] CWE-668 CVE-2024-51755: Twig is a template language for PHP. In a sandbox, an attacker can access attributes of Array-like o Twig is a template language for PHP. In a sandbox, an attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property policy and the `__isset()` method is now called after the security check. This is a BC break. This issue has been patched in versions 3.11.2 and 3.14.1. All use
cvelistv5nvd
CVE-2024-51754LOWCVSS 2.2fixed in 3.11.2v>= 3.12.0, < 3.14.12024-11-06
CVE-2024-51754 [LOW] CWE-668 CVE-2024-51754: Twig is a template language for PHP. In a sandbox, an attacker can call `__toString()` on an object Twig is a template language for PHP. In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). This issue has been patched in versions 3.11.2 and 3.14.1. All users are ad
cvelistv5nvd
CVE-2024-45411HIGHCVSS 8.6v> 1.0.0, < 1.44.8v> 2.0.0, < 2.16.1+1 more2024-09-09
CVE-2024-45411 [HIGH] CWE-693 CVE-2024-45411: Twig is a template language for PHP. Under some circumstances, the sandbox security checks are not r Twig is a template language for PHP. Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. This vulnerability is fixed in 1.44.8, 2.16.1, and 3.14.0.
cvelistv5nvd
CVE-2022-39261HIGHCVSS 7.5v=> 1.0.0, < 1.44.7v>= 2.0.0, < 2.15.3+1 more2022-09-28
CVE-2022-39261 [HIGH] CWE-22 CVE-2022-39261: Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prio Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace li
cvelistv5nvd
CVE-2022-23614CRITICALCVSS 9.8v>= 3.0.0, < 3.3.8v>= 2.0.0, < 2.14.112022-02-04
CVE-2022-23614 [HIGH] CWE-74 CVE-2022-23614: Twig is an open source template language for PHP. When in a sandbox mode, the `arrow` parameter of t Twig is an open source template language for PHP. When in a sandbox mode, the `arrow` parameter of the `sort` filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected versions this constraint was not properly enforced and could lead to code injection of arbitrary PHP code. Patched versions now disallow calling
cvelistv5nvd