EUVD-2021-1058

Malware in sbrugna...

EUVD-2020-0435

Malware in sbrugna...

EUVD-2024-1787

Malicious code in bioql PyPI...

CVE-2024-35191

Formie is a Craft CMS plugin for creating forms. Prior to 2.1.6, users with access to a form's settings can include malicious Twig code into fields that support Twig. These might be the Submission Title or the Success Message. This code will then be executed upon creating a submission, or renderi...

CVE-2021-32649

October CMS is a self-hosted content management system CMS platform based on the Laravel PHP Framework. Prior to versions 1.0.473 and 1.1.6, an attacker with "create, modify and delete website pages" privileges in the backend is able to execute PHP code by running specially crafted Twig code in t...

CVE-2020-11056

In Sprout Forms before 3.9.0, there is a potential Server-Side Template Injection vulnerability when using custom fields in Notification Emails which could lead to the execution of Twig code. This has been fixed in 3.9.0...

Template Injection

verbb/formie is vulnerable to Template Injection. An attacker can execute arbitrary code by including malicious Twig code into fields that support Twig, such as the Submission Title or the Success Message...

verbb/formie Server-Side Template Injection for variable-enabled settings

Impact Users with access to a form's settings can include malicious Twig code into fields that support Twig. These might be the Submission Title or the Success Message. This code will then be executed upon creating a submission, or rendering the text. This is listed as low-medium severity due to...

GHSA-V45M-HXQP-FWF5 verbb/formie Server-Side Template Injection for variable-enabled settings

Impact Users with access to a form's settings can include malicious Twig code into fields that support Twig. These might be the Submission Title or the Success Message. This code will then be executed upon creating a submission, or rendering the text. This is listed as low-medium severity due to...

CVE-2024-35191 verbb/formie Server-Side Template Injection for variable-enabled settings

Formie is a Craft CMS plugin for creating forms. Prior to 2.1.6, users with access to a form's settings can include malicious Twig code into fields that support Twig. These might be the Submission Title or the Success Message. This code will then be executed upon creating a submission, or renderi...

CVE-2024-35191

CVE-2024-35191 affects the verbb/formie Craft CMS plugin. Before version 2.1.6, users who can access a form’s settings could insert malicious Twig code into fields that support Twig (e.g., Submission Title or Success Message). The injected Twig could be executed when a submission is created or wh...

CVE-2024-35191 verbb/formie Server-Side Template Injection for variable-enabled settings

Formie is a Craft CMS plugin for creating forms. Prior to 2.1.6, users with access to a form's settings can include malicious Twig code into fields that support Twig. These might be the Submission Title or the Success Message. This code will then be executed upon creating a submission, or renderi...

Pixel＆tonic Craft CMS 安全漏洞

Pixel & tonic Craft CMS is a content management system CMS from Pixel & tonic USA. A security vulnerability exists in Pixel & tonic Craft CMS Formie versions prior to 2.1.6, which stems from a user with access to form settings can include malicious Twig code into Twig-enabled fields that will...

PT-2024-26371 · Formie · Formie

Name of the Vulnerable Software and Affected Versions: Formie versions prior to 2.1.6 Description: The issue allows users with access to a form's settings to include malicious Twig code into fields that support Twig, such as the Submission Title or the Success Message. This code will then be...

CVE-2023-44382

October is a Content Management System CMS and web platform to assist with development workflow. An authenticated backend user with the editor.cmspages, editor.cmslayouts, or editor.cmspartials permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to...

Server Side Template Injection

October CMS is vulnerable to Server Side Template Injection. The vulnerability is due improper sandboxing of twig code, where an authenticated backend user possessing the editor.cmspages, editor.cmslayouts, or editor.cmspartials permissions, can execute PHP code even when cms.safemode being...

Drupal 9.3.x < 9.3.22 Third-Party Library Vulnerability

According to its self-reported version, the instance of Drupal running on the remote web server is 9.3.x prior to 9.3.22 or 9.4.x prior to 9.4.7. Drupal uses the Twig third-party library for content templating and sanitization. Multiple vulnerabilities are possible if an untrusted user has access...

SEOmatic plugin for Craft CMS SSTI Vulnerability

A Server Side Template Injection SSTI was discovered in the SEOmatic plugin before 3.1.4 for Craft CMS, because requests that don't match any elements incorrectly generate the canonicalUrl, and can lead to execution of Twig code...

GHSA-6J9M-RP7M-3GFG SEOmatic plugin for Craft CMS SSTI Vulnerability

A Server Side Template Injection SSTI was discovered in the SEOmatic plugin before 3.1.4 for Craft CMS, because requests that don't match any elements incorrectly generate the canonicalUrl, and can lead to execution of Twig code...

CVE-2022-24780

Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, users of the iTop user portal can send TWIG code to the server by forging specific http queries, and execute arbitrary code on the server using http server user privileges. This issue is fixed in version...