5 matches found
CVE-2026-46640
Twig is a template language for PHP. From 3.15.0 until 3.26.0, self. and import-alias dynamic attribute syntax can concatenate an attacker-controlled string into a MacroReferenceExpression name without identifier validation, causing raw PHP to be emitted into the generated template source and...
CVE-2026-46640
CVE-2026-46640 — Twig (PHP template engine) : The issue affects Twig 3.15.0 through 3.26.0 where _self.() and import-alias dynamic attribute syntax can concatenate attacker-controlled strings into a MacroReferenceExpression name, bypassing identifier validation and causing raw PHP to be emitted a...
Buffer overflow
The Ocean Extra WordPress plugin before 2.1.3 does not ensure that the template to be loaded via a shortcode is actually a template, allowing any authenticated users such as subscriber to retrieve the content of arbitrary posts, such as draft, private or even password protected ones...
Possibility to load a template outside a configured directory when using the filesystem loader
More info at https://symfony.com/blog/twig-security-release-possibility-to-load-a-template-outside-a-configured-directory-when-using-the-filesystem-loader...
Sierra Wireless AirLink ES450 Information Disclosure Vulnerability (CNVD-2019-13397)
The Sierra Wireless AirLink ES450 is a cellular network modem device from Sierra Wireless Canada. An information disclosure vulnerability exists in the ACEManager templateload.cgi function in the Sierra Wireless AirLink ES450 using firmware version 4.9.3. The vulnerability stems from an error in...