Improper Validation of Specified Index, Position, or Offset in Input

Overview twig/twig is a flexible, fast, and secure template language for PHP. Affected versions of this package are vulnerable to Improper Validation of Specified Index, Position, or Offset in Input in the SandboxNodeVisitor that allows toString policy bypass via Traversable in join/replace filte...

Incorrect Authorization

Overview twig/twig is a flexible, fast, and secure template language for PHP. Affected versions of this package are vulnerable to Incorrect Authorization via the deprecated twigarraysome, twigarrayevery, and twigcheckarrowinsandbox helper functions. An attacker can bypass the sandbox callback...

Arbitrary Code Injection

Overview twig/twig is a flexible, fast, and secure template language for PHP. Affected versions of this package are vulnerable to Arbitrary Code Injection via the obj.expr dynamic attribute syntax and MacroReferenceExpression::compile. An attacker can execute arbitrary PHP code by supplying a...

Incorrect Authorization

Overview twig/twig is a flexible, fast, and secure template language for PHP. Affected versions of this package are vulnerable to Incorrect Authorization via object-destructuring assignment handling in ObjectDestructuringSetBinary::compile. An attacker can bypass Twig sandbox property and method...

CVE-2026-40878 mailcow-dockerized Login Page has Reflected Parameter Injection / Wrong-Context XSS Escaping

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw $SERVER'REQUESTURI' to Twig as a global template variable and renders it inside a JavaScript string literal in the setLang helper of base.twig,...

EUVD-2020-3821

Malware in sbrugna...

CVE-2024-24724

Gibbon through 26.0.00 allows /modules/School%20Admin/messengerSettings.php Server Side Template Injection leading to Remote Code Execution because input is passed to the Twig template engine messengerSettings.php without sanitization...

Twig 注入漏洞

Twig is a PHP template engine from Twig open source. An injection vulnerability exists in Twig versions prior to 3.19.0, which stems from the lack of output escaping for expressions to the left of an operator when the operator is used...

Protection Mechanism Failure

Overview twig/twig is a flexible, fast, and secure template language for PHP. Affected versions of this package are vulnerable to Protection Mechanism Failure in a sandbox due to improper object validation in the ensureToStringAllowed function. An attacker can invoke the toString method on an...

CVE-2024-24724

Gibbon through 26.0.00 allows /modules/School%20Admin/messengerSettings.php Server Side Template Injection leading to Remote Code Execution because input is passed to the Twig template engine messengerSettings.php without sanitization...

CVE-2024-24724

Gibbon through 26.0.00 allows /modules/School%20Admin/messengerSettings.php Server Side Template Injection leading to Remote Code Execution because input is passed to the Twig template engine messengerSettings.php without sanitization...

CVE-2024-24724

CVE-2024-24724 affects Gibbon LMS (versions through 26.0.00). The vulnerability is a Server-Side Template Injection in /modules/School Admin/messengerSettings.php where user input is passed to the Twig template engine without sanitization, enabling Remote Code Execution. Exploitation is demonstra...

CVE-2024-24724

Gibbon through 26.0.00 allows /modules/School%20Admin/messengerSettings.php Server Side Template Injection leading to Remote Code Execution because input is passed to the Twig template engine messengerSettings.php without sanitization...

CVE-2024-24724

Gibbon through 26.0.00 allows /modules/School%20Admin/messengerSettings.php Server Side Template Injection leading to Remote Code Execution because input is passed to the Twig template engine messengerSettings.php without sanitization...

PT-2023-30241 · Ec Cube +1 · Ec-Cube +1

Name of the Vulnerable Software and Affected Versions: EC-CUBE versions 3.0.0 through 3.0.18-p6 EC-CUBE versions 4.0.0 through 4.0.6-p3 EC-CUBE versions 4.1.0 through 4.1.2-p2 EC-CUBE versions 4.2.0 through 4.2.2 Description: The issue is due to improper settings of the template engine Twig...

[SECURITY] Fedora 36 Update: php-twig3-3.4.3-1.fc36

The flexible, fast, and secure template engine for PHP. Fast: Twig compiles templates down to plain optimized PHP code. The overhead compared to regular PHP code was reduced to the very minimum. Secure: Twig has a sandbox mode to evaluate untrusted template code. This allows Twig to be used as a...

Vulnerability fixed in Drupal

A vulnerability has been fixed in Drupal Core. The vulnerability is located in Twig. Drupal Core uses Twig as its template engine. The vulnerability allows a malicious person who has elevated privileges to obtain sensitive data. At the time of writing this security advisory, there is still no kno...

CVE-2020-11467

An issue was discovered in Deskpro before 2019.8.0. This product enables administrators to modify the helpdesk interface by editing /portal/api/style/edit-theme-set/template-sources theme templates, and uses TWIG as its template engine. While direct access to self and self variables was not...

CVE-2020-11467

An issue was discovered in Deskpro before 2019.8.0. This product enables administrators to modify the helpdesk interface by editing /portal/api/style/edit-theme-set/template-sources theme templates, and uses TWIG as its template engine. While direct access to self and self variables was not...

Remote code execution

An issue was discovered in Deskpro before 2019.8.0. This product enables administrators to modify the helpdesk interface by editing /portal/api/style/edit-theme-set/template-sources theme templates, and uses TWIG as its template engine. While direct access to self and self variables was not...