CVE-2022-39261

🗓️ 28 Sep 2022 14:15:00Reported by ubuntu.comType

Twig PHP template language prior to versions 1.44.7, 2.15.3, and 3.4.3 allows arbitrary file read with `source` or `include` statement

Reporter	Title	Published	Views	Family All 94
AstraLinux	Astra Linux – Vulnerability in Twig	20 May 202605:53	–	astralinux
Circl	CVE-2022-39261	28 Sep 202218:34	–	circl
CNNVD	Sensio Labs Twig 路径遍历漏洞	28 Sep 202200:00	–	cnnvd
CNVD	Sensio Labs Twig Path Traversal Vulnerability	30 Sep 202200:00	–	cnvd
CVE	CVE-2022-39261	28 Sep 202200:00	–	cve
Cvelist	CVE-2022-39261 Twig may load a template outside a configured directory when using the filesystem loader	28 Sep 202200:00	–	cvelist
Debian	[SECURITY] [DLA 3147-1] twig security update	11 Oct 202218:00	–	debian
Debian	[SECURITY] [DSA 5246-1] php-twig security update	5 Oct 202205:37	–	debian
Debian CVE	CVE-2022-39261	28 Sep 202200:00	–	debiancve
Tenable Nessus	Debian dla-3147 : php-twig - security update	11 Oct 202200:00	–	nessus

OS	OS Version	Architecture	Package	Package Version	Filename
Ubuntu	20.04	any	php-twig	2.12.5-1ubuntu0.1~esm1	php-twig_2.12.5-1ubuntu0.1~esm1_any.deb
Ubuntu	22.04	any	php-twig	3.3.8-2ubuntu4+esm1	php-twig_3.3.8-2ubuntu4+esm1_any.deb
Ubuntu	18.04	any	twig	2.4.6-1ubuntu0.1~esm1	twig_2.4.6-1ubuntu0.1~esm1_any.deb
Ubuntu	16.04	any	twig	1.23.1-1ubuntu4+esm1	twig_1.23.1-1ubuntu4+esm1_any.deb

Source	Link
github	www.github.com/twigphp/Twig/security/advisories/GHSA-52m2-vc4m-jj33
github	www.github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0b%20(v1.44.7,%20v2.15.3,%20v3.4.3)
github	www.github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0b
drupal	www.drupal.org/sa-core-2022-016
ubuntu	www.ubuntu.com/security/notices/USN-5947-1
cve	www.cve.org/CVERecord

26 Aug 2025 12:48Current

7.2High risk

Vulners AI Score7.2

CVSS 3.17.5

EPSS0.01488

SSVC