Flattening of vulnerability issues within the Drupal core

Drupal has identified a vulnerability in the Drupal core versions starting from 8.9.0, specifically versions 10.x and 11.x. The vulnerability involves SQL injection in the Drupal’s database abstraction API. As a result, unauthorized malicious actors can execute arbitrary SQL injections on sites...

PT-2026-42361

Drupal core includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL...

GHSA-VRQV-52X7-RM4V Kimai's Twig function config() leaks server-wide secrets (LDAP bind password, SAML SP private key) via invoice/export templates

Summary Kimai's Twig sandbox StrictPolicy, used for admin-uploaded invoice and export templates allow-lists the config Twig function with no key filtering. configname delegates to App\Configuration\SystemConfiguration::find$name, which returns arbitrary entries from the flattened kimai.config...

Kimai's Twig function config() leaks server-wide secrets (LDAP bind password, SAML SP private key) via invoice/export templates

Summary Kimai's Twig sandbox StrictPolicy, used for admin-uploaded invoice and export templates allow-lists the config Twig function with no key filtering. configname delegates to App\Configuration\SystemConfiguration::find$name, which returns arbitrary entries from the flattened kimai.config...

Grav has multiple RCE vectors: unsafe unserialize (x3), command injection in git clone, SSTI blocklist bypass

Multiple RCE vectors were found in Grav CMS. Three are critical, two are high. 1. Unsafe unserialize in JobQueue — direct RCE gadget Critical system/src/Grav/Common/Scheduler/JobQueue.php:465 calls unserializebase64decode... without restricting allowedclasses. The Job class has...

GHSA-5FVC-7894-GHP4 Craft CMS has Twig Function Blocklist Bypass

Craft CMS implements a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Closure arrow functions. In order to be able to successfully execute this attack, you need to either have allowAdminChanges enabled on production, or a compromised admin account, or an...

GHSA-GJC5-8CFH-653X Grav is Vulnerable to Security Sandbox Bypass with SSTI (Server Side Template Injection)

Summary Grav CMS is vulnerable to a Server-Side Template Injection SSTI that allows any authenticated user with editor permissions to execute arbitrary code on the remote server, bypassing the existing security sandbox. Details Grav CMS uses a custom sandbox to protect the powerful Twig methods...

Ubuntu 24.04 LTS / 24.10 : Twig vulnerability (USN-7549-1)

The remote Ubuntu 24.04 LTS / 24.10 host has packages installed that are affected by a vulnerability as referenced in the USN-7549-1 advisory. It was discovered that Twig did not correctly handle securing user input. An attacker could possibly use this issue to cause Twig to expose sensitive...

[SECURITY] [DLA 4186-1] php-twig security update

Debian LTS Advisory DLA-4186-1 [email protected] https://www.debian.org/lts/security/ Markus Koschany May 28, 2025 https://wiki.debian.org/LTS Package : php-twig Version : 2.14.3-1+deb11u4 CVE ID : CVE-2024-51754 Twig is a template language for PHP. In a sandbox, an attacker can call...

GHSA-3XG3-CGVQ-2XWR Twig security issue where escaping was missing when using null coalesce operator

When using the ?? operator, output escaping was missing for the expression on the left side of the operator...

Twig security issue where escaping was missing when using null coalesce operator

When using the ?? operator, output escaping was missing for the expression on the left side of the operator...

CVE-2025-24374 Twig fixes a security issue where escaping was missing when using null coalesce operator (??)

Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0...

CVE-2025-24374 Twig fixes a security issue where escaping was missing when using null coalesce operator (??)

Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0...

[SECURITY] [DSA 5771-1] php-twig security update

------------------------------------------------------------------------- Debian Security Advisory DSA-5771-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff September 17, 2024 https://www.debian.org/security/faq -...

[SECURITY] [DLA 3888-1] php-twig security update

------------------------------------------------------------------------- Debian LTS Advisory DLA-3888-1 [email protected] https://www.debian.org/lts/security/ Adrian Bunk September 16, 2024 https://wiki.debian.org/LTS -...

[SECURITY] [DLA 3147-1] twig security update

------------------------------------------------------------------------- Debian LTS Advisory DLA-3147-1 [email protected] https://www.debian.org/lts/security/ Chris Lamb October 11, 2022 https://wiki.debian.org/LTS -...

UBUNTU-CVE-2022-23614

Twig is an open source template language for PHP. When in a sandbox mode, the arrow parameter of the sort filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected versions this constraint was not properly enforced and could lead to code injection of...

Fedora 21 : php-twig-1.20.0-1.fc21 (2015-13423)

1.20.0 2015-08-12 forbid access to the Twig environment from templates and internal parts of TwigTemplate fixed limited RCEs when in sandbox mode deprecated TwigTemplate::getEnvironment deprecated the self variable for usage outside of the from and import tags added TwigBaseNodeVisitor to ease th...

Fedora 23 : php-twig-1.20.0-1.fc23 (2015-13463)

1.20.0 2015-08-12 forbid access to the Twig environment from templates and internal parts of TwigTemplate fixed limited RCEs when in sandbox mode deprecated TwigTemplate::getEnvironment deprecated the self variable for usage outside of the from and import tags added TwigBaseNodeVisitor to ease th...