24 matches found
CVE-2026-45017 Python Liquid: Absolute paths escape filesystem loader search path
Python Liquid is a Python engine for the Liquid template language. Prior to 2.2.0, the built-in FileSystemLoader and CachingFileSystemLoader do not guard against reading files outside their search paths when given an absolute path to resolve. This allows malicious template authors to load and...
GHSA-8P4X-WR7X-3788 python-liquid: Absolute paths escape filesystem loader search path
Impact The built-in FileSystemLoader and CachingFileSystemLoader do not guard against reading files outside their search paths when given an absolute path to resolve. This allows malicious template authors to load and render arbitrary files via the % include % and % render % tags. Targeted files...
Linux Distros Unpatched Vulnerability : CVE-2022-39261
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loa...
Fedora 37 : php-twig2 (2022-73b9fb7a77)
The remote Fedora 37 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2022-73b9fb7a77 advisory. Version 2.15.3 2022-09-28 Fix a security issue on filesystem loader possibility to load a template outside a configured directory Tenable has extracted the...
Fedora 37 : php-twig (2022-c6fe3ebd94)
The remote Fedora 37 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2022-c6fe3ebd94 advisory. Version 1.44.7 2022-09-28 Fix a security issue on filesystem loader possibility to load a template outside a configured directory Tenable has extracted the...
Fedora 37 : php-twig3 (2022-42aa6ee852)
The remote Fedora 37 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2022-42aa6ee852 advisory. Version 3.4.3 2022-09-28 Fix a security issue on filesystem loader possibility to load a template outside a configured directory Tenable has extracted the...
GHSA-7CVR-XHM5-X998 Twig Path Traversal vulnerability in the filesystem loader
Twig is affected by path traversal vulnerability when used with TwigLoaderFilesystem for loading Twig templates but only if the application is using non-trusted template names names provided by a end-user for instance. When affected, it is possible to go up one directory for the paths configured ...
BIT-DRUPAL-2022-39261 Twig may load a template outside a configured directory when using the filesystem loader
Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the source or include statement to read arbitrary files from outsi...
Fedora 36 : php-twig (2022-1695454935)
The remote Fedora 36 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2022-1695454935 advisory. Version 1.44.7 2022-09-28 Fix a security issue on filesystem loader possibility to load a template outside a configured directory Tenable has extracted the...
Fedora 35 : php-twig3 (2022-e915614918)
The remote Fedora 35 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2022-e915614918 advisory. Version 3.4.3 2022-09-28 Fix a security issue on filesystem loader possibility to load a template outside a configured directory Tenable has extracted the...
Fedora 36 : php-twig2 (2022-9d8ee4a6de)
The remote Fedora 36 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2022-9d8ee4a6de advisory. Version 2.15.3 2022-09-28 Fix a security issue on filesystem loader possibility to load a template outside a configured directory Tenable has extracted the...
Debian DSA-5248-1 : php-twig - security update
The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dsa-5248 advisory. Marlon Starkloff discovered that twig, a template engine for PHP, did not correctly enforce sandboxing. This would allow a malicious user to execute arbitrary code. For th...
GHSA-52M2-VC4M-JJ33 Twig may load a template outside a configured directory when using the filesystem loader
Description When using the filesystem loader to load templates for which the name is a user input, it is possible to use the source or include statement to read arbitrary files from outside the templates directory when using a namespace like @somewhere/../some.file in such a case, validation is...
Twig may load a template outside a configured directory when using the filesystem loader
Description When using the filesystem loader to load templates for which the name is a user input, it is possible to use the source or include statement to read arbitrary files from outside the templates directory when using a namespace like @somewhere/../some.file in such a case, validation is...
DEBIAN-CVE-2022-39261
Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the source or include statement to read arbitrary files from outsi...
CVE-2022-39261
Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the source or include statement to read arbitrary files from outsi...
UBUNTU-CVE-2022-39261
Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the source or include statement to read arbitrary files from outsi...
Input validation
Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the source or include statement to read arbitrary files from outsi...
CVE-2022-39261
Twig is affected: versions 1.x before 1.44.7, 2.x before 2.15.3, and 3.x before 3.4.3 have a vulnerability where the filesystem loader can read arbitrary files when a template name is user-controlled (e.g., @namespace/../file) due to validation bypass. The fixed releases are 1.44.7, 2.15.3, and 3...
CVE-2022-39261 Twig may load a template outside a configured directory when using the filesystem loader
Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the source or include statement to read arbitrary files from outsi...