Lucene search
K

7 matches found

Github Security Blog
Github Security Blog
added 2026/05/21 9:31 p.m.19 views

Twig: Arbitrary PHP code execution via `_self.(<string>)` macro-reference compilation

Description The obj.expr dynamic-attribute syntax added in 3.15.0 as the replacement for the deprecated attribute function lets the attribute be an arbitrary expression. When the receiver is self or any % import % alias and the parenthesised expression is a string literal, DotExpressionParser...

8.7CVSS6AI score0.00056EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/05/21 9:31 p.m.10 views

GHSA-45VW-WH46-2VX8 Twig: Arbitrary PHP code execution via `_self.(<string>)` macro-reference compilation

Description The obj.expr dynamic-attribute syntax added in 3.15.0 as the replacement for the deprecated attribute function lets the attribute be an arbitrary expression. When the receiver is self or any % import % alias and the parenthesised expression is a string literal, DotExpressionParser...

8.7CVSS6AI score0.00056EPSS
Exploits0References5
Tenable Nessus
Tenable Nessus
added 2026/05/21 12:0 a.m.9 views

Linux Distros Unpatched Vulnerability : CVE-2026-46640

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Twig: Arbitrary PHP code execution via self. macro-reference compilation CVE-2026-46640 Note that Nessus relies on the presence of the package as reported by th...

8.7CVSS6.2AI score0.00056EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/21 12:0 a.m.15 views

PT-2026-42692

Name of the Vulnerable Software and Affected Versions Twig versions prior to 3.15.0 Description The obj.expr dynamic-attribute syntax allows the attribute to be an arbitrary expression. When the receiver is self or any % import % alias and the parenthesised expression is a string literal, the...

8.7CVSS6.3AI score0.00056EPSS
Exploits0References27
Positive Technologies
Positive Technologies
added 2026/05/21 12:0 a.m.12 views

PT-2026-42591

Description The obj.expr dynamic-attribute syntax added in 3.15.0 as the replacement for the deprecated attribute function lets the attribute be an arbitrary expression. When the receiver is self or any % import % alias and the parenthesised expression is a string literal, DotExpressionParser...

8.7CVSS6AI score0.00056EPSS
Exploits0References5
Snyk
Snyk
added 2026/05/20 9:41 a.m.7 views

Arbitrary Code Injection

Overview twig/twig is a flexible, fast, and secure template language for PHP. Affected versions of this package are vulnerable to Arbitrary Code Injection via the obj.expr dynamic attribute syntax and MacroReferenceExpression::compile. An attacker can execute arbitrary PHP code by supplying a...

9.8CVSS6.1AI score0.00056EPSS
Exploits0References2
Friends Of PHP
Friends Of PHP
added 2026/05/20 8:0 a.m.19 views

Arbitrary PHP code execution via `_self.(<string>)` macro-reference compilation

More info at https://symfony.com/cve-2026-46640...

8.7CVSS5.8AI score0.00056EPSS
Exploits0Affected Software1
Rows per page
Query Builder