Lucene search
K

30 matches found

NVD
NVD
added yesterday6 views

CVE-2026-48808

Twig is a template language for PHP. Prior to 3.27.0, the column filter passes the active sandbox state as a boolean but does not forward the current Source to SandboxExtension::checkPropertyAllowed, so SourcePolicyInterface decisions are lost and a template author can read public or magic...

6CVSS
Exploits0References3
NVD
NVD
added yesterday5 views

CVE-2026-47732

Twig is a template language for PHP. Prior to 3.26.0, several Twig language constructs trigger PHP string coercion on a Stringable operand without consulting SecurityPolicy::checkMethodAllowed, allowing a sandboxed template author to invoke toString on objects reachable in the render context...

7.1CVSS0.00044EPSS
Exploits0References3
NVD
NVD
added yesterday5 views

CVE-2026-46628

Twig is a template language for PHP. Prior to 3.26.0, the deprecated spaceless filter is registered as safe for HTML, causing Twig autoescaping to emit attacker-controlled markup unescaped when spaceless is applied to untrusted input. This issue is fixed in version 3.26.0...

5.1CVSS0.00056EPSS
Exploits0References3
Cvelist
Cvelist
added yesterday23 views

CVE-2026-46629 Twig: Unbounded formatter memoisation in twig/intl-extra keyed on template-controlled arguments

Twig is a template language for PHP. Prior to 3.26.0, twig/intl-extra memoises IntlDateFormatter and NumberFormatter instances in arrays keyed by template-controlled filter arguments such as locale, pattern, and attrs, allowing a template to allocate many ICU formatter objects that remain pinned...

5.3CVSS0.00056EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/27 5:41 p.m.13 views

Improper Validation of Specified Index, Position, or Offset in Input

Overview twig/twig is a flexible, fast, and secure template language for PHP. Affected versions of this package are vulnerable to Improper Validation of Specified Index, Position, or Offset in Input in the SandboxNodeVisitor that allows toString policy bypass via Traversable in join/replace filte...

7.1CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/27 5:41 p.m.10 views

Incorrect Authorization

Overview twig/twig is a flexible, fast, and secure template language for PHP. Affected versions of this package are vulnerable to Incorrect Authorization via the deprecated twigarraysome, twigarrayevery, and twigcheckarrowinsandbox helper functions. An attacker can bypass the sandbox callback...

5.3CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/20 9:41 a.m.7 views

Arbitrary Code Injection

Overview twig/twig is a flexible, fast, and secure template language for PHP. Affected versions of this package are vulnerable to Arbitrary Code Injection via the obj.expr dynamic attribute syntax and MacroReferenceExpression::compile. An attacker can execute arbitrary PHP code by supplying a...

9.8CVSS6.1AI score0.00056EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/20 9:41 a.m.8 views

Incorrect Authorization

Overview twig/twig is a flexible, fast, and secure template language for PHP. Affected versions of this package are vulnerable to Incorrect Authorization via object-destructuring assignment handling in ObjectDestructuringSetBinary::compile. An attacker can bypass Twig sandbox property and method...

7.1CVSS5.9AI score0.00082EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/21 7:21 p.m.34 views

CVE-2026-40878 mailcow-dockerized Login Page has Reflected Parameter Injection / Wrong-Context XSS Escaping

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw $SERVER'REQUESTURI' to Twig as a global template variable and renders it inside a JavaScript string literal in the setLang helper of base.twig,...

2.1CVSS0.00805EPSS
Exploits0References1
EUVD
EUVD
added 2025/10/07 12:30 a.m.6 views

EUVD-2020-3821

Malware in sbrugna...

9.1CVSS8.2AI score0.03987EPSS
Exploits1References4
RedhatCVE
RedhatCVE
added 2025/05/23 10:7 a.m.8 views

CVE-2024-24724

Gibbon through 26.0.00 allows /modules/School%20Admin/messengerSettings.php Server Side Template Injection leading to Remote Code Execution because input is passed to the Twig template engine messengerSettings.php without sanitization...

9.8CVSS7.8AI score0.26089EPSS
Exploits4References1
CNNVD
CNNVD
added 2025/01/29 12:0 a.m.7 views

Twig 注入漏洞

Twig is a PHP template engine from Twig open source. An injection vulnerability exists in Twig versions prior to 3.19.0, which stems from the lack of output escaping for expressions to the left of an operator when the operator is used...

4.3CVSS6.8AI score0.00282EPSS
Exploits0References3
Snyk
Snyk
added 2024/11/06 9:41 p.m.4 views

Protection Mechanism Failure

Overview twig/twig is a flexible, fast, and secure template language for PHP. Affected versions of this package are vulnerable to Protection Mechanism Failure in a sandbox due to improper object validation in the ensureToStringAllowed function. An attacker can invoke the toString method on an...

2.2CVSS7AI score0.0044EPSS
Exploits0References2
NVD
NVD
added 2024/04/03 3:15 a.m.12 views

CVE-2024-24724

Gibbon through 26.0.00 allows /modules/School%20Admin/messengerSettings.php Server Side Template Injection leading to Remote Code Execution because input is passed to the Twig template engine messengerSettings.php without sanitization...

9.8CVSS7.5AI score0.26089EPSS
Exploits4References2
Vulnrichment
Vulnrichment
added 2024/04/03 12:0 a.m.14 views

CVE-2024-24724

Gibbon through 26.0.00 allows /modules/School%20Admin/messengerSettings.php Server Side Template Injection leading to Remote Code Execution because input is passed to the Twig template engine messengerSettings.php without sanitization...

7.8AI score0.26089EPSS
Exploits4References2
CVE
CVE
added 2024/04/03 12:0 a.m.119 views

CVE-2024-24724

CVE-2024-24724 affects Gibbon LMS (versions through 26.0.00). The vulnerability is a Server-Side Template Injection in /modules/School Admin/messengerSettings.php where user input is passed to the Twig template engine without sanitization, enabling Remote Code Execution. Exploitation is demonstra...

9.8CVSS7.7AI score0.26089EPSS
Exploits4References2Affected Software1
OSV
OSV
added 2024/04/03 12:0 a.m.4 views

CVE-2024-24724

Gibbon through 26.0.00 allows /modules/School%20Admin/messengerSettings.php Server Side Template Injection leading to Remote Code Execution because input is passed to the Twig template engine messengerSettings.php without sanitization...

9.8CVSS9.8AI score0.26089EPSS
Exploits4References4
Cvelist
Cvelist
added 2024/04/03 12:0 a.m.20 views

CVE-2024-24724

Gibbon through 26.0.00 allows /modules/School%20Admin/messengerSettings.php Server Side Template Injection leading to Remote Code Execution because input is passed to the Twig template engine messengerSettings.php without sanitization...

7.8AI score0.26089EPSS
Exploits4References2
Positive Technologies
Positive Technologies
added 2023/11/07 12:0 a.m.6 views

PT-2023-30241 · Ec Cube +1 · Ec-Cube +1

Name of the Vulnerable Software and Affected Versions: EC-CUBE versions 3.0.0 through 3.0.18-p6 EC-CUBE versions 4.0.0 through 4.0.6-p3 EC-CUBE versions 4.1.0 through 4.1.2-p2 EC-CUBE versions 4.2.0 through 4.2.2 Description: The issue is due to improper settings of the template engine Twig...

7.2CVSS7.2AI score0.01582EPSS
Exploits1References6
Fedora
Fedora
added 2022/10/07 3:56 p.m.18 views

[SECURITY] Fedora 36 Update: php-twig3-3.4.3-1.fc36

The flexible, fast, and secure template engine for PHP. Fast: Twig compiles templates down to plain optimized PHP code. The overhead compared to regular PHP code was reduced to the very minimum. Secure: Twig has a sandbox mode to evaluate untrusted template code. This allows Twig to be used as a...

3.2AI score
Exploits0
Rows per page
Query Builder