Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/twig/twig@1.18.1
Typecomposer
Namespacetwig
Nametwig
Version1.18.1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.11.2
Latest_non_vulnerable_version3.19.0
Affected_by_vulnerabilities
0
url VCID-1au7-86r7-8qdn
vulnerability_id VCID-1au7-86r7-8qdn
summary 
Twig has unguarded calls to `__toString()` when nesting an object into an array
### Description

In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance).

### Resolution

The sandbox mode now checks the `__toString()` method call on all objects.

The patch for this issue is available [here](https://github.com/twigphp/Twig/commit/cafc608ece310e62a35a76f17e25c04ab9ed05cc) for the 3.11.x branch, and [here](https://github.com/twigphp/Twig/commit/d4a302681bca9f7c6ce2835470d53609cdf3e23e) for the 3.x branch.

### Credits

We would like to thank Jamie Schouten for reporting the issue and Fabien Potencier for providing the fix.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-51754
reference_id
reference_type
scores
0
value 0.00135
scoring_system epss
scoring_elements 0.33211
published_at 2026-04-08T12:55:00Z
1
value 0.00135
scoring_system epss
scoring_elements 0.33201
published_at 2026-04-18T12:55:00Z
2
value 0.00135
scoring_system epss
scoring_elements 0.33224
published_at 2026-04-16T12:55:00Z
3
value 0.00135
scoring_system epss
scoring_elements 0.33184
published_at 2026-04-13T12:55:00Z
4
value 0.00135
scoring_system epss
scoring_elements 0.33207
published_at 2026-04-12T12:55:00Z
5
value 0.00135
scoring_system epss
scoring_elements 0.33248
published_at 2026-04-11T12:55:00Z
6
value 0.00135
scoring_system epss
scoring_elements 0.33303
published_at 2026-04-02T12:55:00Z
7
value 0.00135
scoring_system epss
scoring_elements 0.33335
published_at 2026-04-04T12:55:00Z
8
value 0.00135
scoring_system epss
scoring_elements 0.33167
published_at 2026-04-07T12:55:00Z
9
value 0.00135
scoring_system epss
scoring_elements 0.33244
published_at 2026-04-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-51754
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-51754
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-51754
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2024-51754.yaml
reference_id
reference_type
scores
0
value 2.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2024-51754.yaml
3
reference_url https://github.com/twigphp/Twig
reference_id
reference_type
scores
0
value 2.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/twigphp/Twig
4
reference_url https://github.com/twigphp/Twig/commit/2bb8c2460a2c519c498df9b643d5277117155a73
reference_id
reference_type
scores
0
value 2.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-06T19:40:22Z/
url https://github.com/twigphp/Twig/commit/2bb8c2460a2c519c498df9b643d5277117155a73
5
reference_url https://github.com/twigphp/Twig/security/advisories/GHSA-6377-hfv9-hqf6
reference_id
reference_type
scores
0
value 2.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
3
value LOW
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-06T19:40:22Z/
url https://github.com/twigphp/Twig/security/advisories/GHSA-6377-hfv9-hqf6
6
reference_url https://lists.debian.org/debian-lts-announce/2025/05/msg00039.html
reference_id
reference_type
scores
0
value 2.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/05/msg00039.html
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-51754
reference_id
reference_type
scores
0
value 2.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-51754
8
reference_url https://symfony.com/blog/unguarded-calls-to-__tostring-when-nesting-an-object-into-an-array
reference_id
reference_type
scores
0
value 2.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://symfony.com/blog/unguarded-calls-to-__tostring-when-nesting-an-object-into-an-array
9
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086884
reference_id 1086884
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086884
10
reference_url https://github.com/advisories/GHSA-6377-hfv9-hqf6
reference_id GHSA-6377-hfv9-hqf6
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6377-hfv9-hqf6
11
reference_url https://usn.ubuntu.com/7456-1/
reference_id USN-7456-1
reference_type
scores
url https://usn.ubuntu.com/7456-1/
fixed_packages
0
url pkg:composer/twig/twig@3.11.2
purl pkg:composer/twig/twig@3.11.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/twig/twig@3.11.2
1
url pkg:composer/twig/twig@3.14.1
purl pkg:composer/twig/twig@3.14.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/twig/twig@3.14.1
aliases CVE-2024-51754, GHSA-6377-hfv9-hqf6
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1au7-86r7-8qdn
1
url VCID-4jwc-v1ar-q7ek
vulnerability_id VCID-4jwc-v1ar-q7ek
summary 
Twig remote code execution in templates
The `displayBlock` function `Template.php` in Sensio Labs Twig before 1.20.0, when Sandbox mode is enabled, allows remote attackers to execute arbitrary code via the `_self` variable in a template.
references
0
reference_url http://openwall.com/lists/oss-security/2015/08/21/3
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://openwall.com/lists/oss-security/2015/08/21/3
1
reference_url http://openwall.com/lists/oss-security/2015/10/11/2
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://openwall.com/lists/oss-security/2015/10/11/2
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2015-7809
reference_id
reference_type
scores
0
value 0.02041
scoring_system epss
scoring_elements 0.83834
published_at 2026-04-12T12:55:00Z
1
value 0.02041
scoring_system epss
scoring_elements 0.8384
published_at 2026-04-11T12:55:00Z
2
value 0.02041
scoring_system epss
scoring_elements 0.83824
published_at 2026-04-09T12:55:00Z
3
value 0.02041
scoring_system epss
scoring_elements 0.83818
published_at 2026-04-08T12:55:00Z
4
value 0.02041
scoring_system epss
scoring_elements 0.83795
published_at 2026-04-07T12:55:00Z
5
value 0.02041
scoring_system epss
scoring_elements 0.83766
published_at 2026-04-01T12:55:00Z
6
value 0.02041
scoring_system epss
scoring_elements 0.83864
published_at 2026-04-18T12:55:00Z
7
value 0.02041
scoring_system epss
scoring_elements 0.83863
published_at 2026-04-16T12:55:00Z
8
value 0.02041
scoring_system epss
scoring_elements 0.8383
published_at 2026-04-13T12:55:00Z
9
value 0.02041
scoring_system epss
scoring_elements 0.83793
published_at 2026-04-04T12:55:00Z
10
value 0.02041
scoring_system epss
scoring_elements 0.83779
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2015-7809
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7809
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7809
4
reference_url https://github.com/fabpot/Twig/commit/30be07759a3de2558da5224f127d052ecf492e8f
reference_id
reference_type
scores
url https://github.com/fabpot/Twig/commit/30be07759a3de2558da5224f127d052ecf492e8f
5
reference_url https://github.com/twigphp/Twig
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/twigphp/Twig
6
reference_url https://github.com/twigphp/Twig/commit/30be07759a3de2558da5224f127d052ecf492e8f
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/twigphp/Twig/commit/30be07759a3de2558da5224f127d052ecf492e8f
7
reference_url https://github.com/twigphp/Twig/pull/1759
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/twigphp/Twig/pull/1759
8
reference_url https://symfony.com/blog/security-release-twig-1-20-0
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://symfony.com/blog/security-release-twig-1-20-0
9
reference_url http://symfony.com/blog/security-release-twig-1-20-0
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://symfony.com/blog/security-release-twig-1-20-0
10
reference_url http://www.debian.org/security/2015/dsa-3343
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2015/dsa-3343
11
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:symfony:twig:*:*:*:*:*:*:*:*
reference_id cpe:2.3:a:symfony:twig:*:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:symfony:twig:*:*:*:*:*:*:*:*
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2015-7809
reference_id CVE-2015-7809
reference_type
scores
0
value 6.8
scoring_system cvssv2
scoring_elements AV:N/AC:M/Au:N/C:P/I:P/A:P
1
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2015-7809
13
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2015-7809.yaml
reference_id CVE-2015-7809.YAML
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2015-7809.yaml
14
reference_url https://github.com/advisories/GHSA-xw83-pwrm-9j74
reference_id GHSA-xw83-pwrm-9j74
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xw83-pwrm-9j74
fixed_packages
0
url pkg:composer/twig/twig@1.20.0
purl pkg:composer/twig/twig@1.20.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1au7-86r7-8qdn
1
vulnerability VCID-cd24-q2ys-yfbe
2
vulnerability VCID-etje-vrfw-nbh4
3
vulnerability VCID-ummk-h11z-bkaj
4
vulnerability VCID-xe7j-b1cs-eqct
5
vulnerability VCID-xscd-caaj-kqdk
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/twig/twig@1.20.0
aliases CVE-2015-7809, GHSA-xw83-pwrm-9j74
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4jwc-v1ar-q7ek
2
url VCID-cd24-q2ys-yfbe
vulnerability_id VCID-cd24-q2ys-yfbe
summary 
Twig has unguarded calls to `__isset()` and to array-accesses when the sandbox is enabled
### Description

In a sandbox, and attacker can access attributes of Array-like objects as they were not checked by the security policy.
They are now checked via the property policy and the `__isset()` method is now called after the security check.
**This is a BC break.**

### Resolution

The sandbox mode now ensures access to array-like's properties is allowed.

The patch for this issue is available [here](https://github.com/twigphp/Twig/commit/ec39a9dccc5fb4eaaba55e5d79a6f84a8dd8b69d) for the 3.11.x branch, and [here](https://github.com/twigphp/Twig/commit/b957e5a44cc0075d04ccff52f8fa9d8e6db3e3a0) for the 3.x branch.

### Credits

We would like to thank Jamie Schouten for reporting the issue and Nicolas Grekas for providing the fix.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-51755
reference_id
reference_type
scores
0
value 0.00147
scoring_system epss
scoring_elements 0.35179
published_at 2026-04-02T12:55:00Z
1
value 0.00147
scoring_system epss
scoring_elements 0.35127
published_at 2026-04-18T12:55:00Z
2
value 0.00147
scoring_system epss
scoring_elements 0.35141
published_at 2026-04-16T12:55:00Z
3
value 0.00147
scoring_system epss
scoring_elements 0.35104
published_at 2026-04-13T12:55:00Z
4
value 0.00147
scoring_system epss
scoring_elements 0.35128
published_at 2026-04-12T12:55:00Z
5
value 0.00147
scoring_system epss
scoring_elements 0.35163
published_at 2026-04-11T12:55:00Z
6
value 0.00147
scoring_system epss
scoring_elements 0.35159
published_at 2026-04-09T12:55:00Z
7
value 0.00147
scoring_system epss
scoring_elements 0.35133
published_at 2026-04-08T12:55:00Z
8
value 0.00147
scoring_system epss
scoring_elements 0.35089
published_at 2026-04-07T12:55:00Z
9
value 0.00147
scoring_system epss
scoring_elements 0.35208
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-51755
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-51755
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-51755
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2024-51755.yaml
reference_id
reference_type
scores
0
value 2.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2024-51755.yaml
3
reference_url https://github.com/twigphp/Twig
reference_id
reference_type
scores
0
value 2.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/twigphp/Twig
4
reference_url https://github.com/twigphp/Twig/commit/831c148e786178e5f2fde9db67266be3bf241c21
reference_id
reference_type
scores
0
value 2.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-06T19:44:58Z/
url https://github.com/twigphp/Twig/commit/831c148e786178e5f2fde9db67266be3bf241c21
5
reference_url https://github.com/twigphp/Twig/security/advisories/GHSA-jjxq-ff2g-95vh
reference_id
reference_type
scores
0
value 2.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
3
value LOW
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-06T19:44:58Z/
url https://github.com/twigphp/Twig/security/advisories/GHSA-jjxq-ff2g-95vh
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-51755
reference_id
reference_type
scores
0
value 2.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-51755
7
reference_url https://symfony.com/blog/unguarded-calls-to-__isset-and-to-array-accesses-when-the-sandbox-is-enabled
reference_id
reference_type
scores
0
value 2.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://symfony.com/blog/unguarded-calls-to-__isset-and-to-array-accesses-when-the-sandbox-is-enabled
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086884
reference_id 1086884
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086884
9
reference_url https://github.com/advisories/GHSA-jjxq-ff2g-95vh
reference_id GHSA-jjxq-ff2g-95vh
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jjxq-ff2g-95vh
fixed_packages
0
url pkg:composer/twig/twig@3.11.2
purl pkg:composer/twig/twig@3.11.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/twig/twig@3.11.2
1
url pkg:composer/twig/twig@3.14.1
purl pkg:composer/twig/twig@3.14.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/twig/twig@3.14.1
aliases CVE-2024-51755, GHSA-jjxq-ff2g-95vh
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cd24-q2ys-yfbe
3
url VCID-etje-vrfw-nbh4
vulnerability_id VCID-etje-vrfw-nbh4
summary 
Twig has a possible sandbox bypass
### Description

Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions.

The security issue happens when all these conditions are met:

 * The sandbox is disabled globally;
 * The sandbox is enabled via a sandboxed `include()` function which references a template name (like `included.twig`) and not a `Template` or `TemplateWrapper` instance;
 * The included template has been loaded before the `include()` call but in a non-sandbox context (possible as the sandbox has been globally disabled).

### Resolution

The patch ensures that the sandbox security checks are always run at runtime.

### Credits

We would like to thank Fabien Potencier for reporting and fixing the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-45411
reference_id
reference_type
scores
0
value 0.00144
scoring_system epss
scoring_elements 0.34791
published_at 2026-04-02T12:55:00Z
1
value 0.00144
scoring_system epss
scoring_elements 0.34727
published_at 2026-04-18T12:55:00Z
2
value 0.00144
scoring_system epss
scoring_elements 0.34742
published_at 2026-04-16T12:55:00Z
3
value 0.00144
scoring_system epss
scoring_elements 0.34707
published_at 2026-04-13T12:55:00Z
4
value 0.00144
scoring_system epss
scoring_elements 0.3473
published_at 2026-04-12T12:55:00Z
5
value 0.00144
scoring_system epss
scoring_elements 0.34769
published_at 2026-04-11T12:55:00Z
6
value 0.00144
scoring_system epss
scoring_elements 0.34766
published_at 2026-04-09T12:55:00Z
7
value 0.00144
scoring_system epss
scoring_elements 0.34737
published_at 2026-04-08T12:55:00Z
8
value 0.00144
scoring_system epss
scoring_elements 0.34694
published_at 2026-04-07T12:55:00Z
9
value 0.00144
scoring_system epss
scoring_elements 0.34817
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-45411
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45411
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45411
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2024-45411.yaml
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 5.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2024-45411.yaml
3
reference_url https://github.com/twigphp/Twig
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 5.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/twigphp/Twig
4
reference_url https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
2
value 5.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-09T18:37:50Z/
url https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6
5
reference_url https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
2
value 5.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-09T18:37:50Z/
url https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de
6
reference_url https://github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 5.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635
7
reference_url https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
2
value 5.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-09T18:37:50Z/
url https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233
8
reference_url https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value 5.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-09T18:37:50Z/
url https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-45411
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 5.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-45411
10
reference_url https://symfony.com/blog/twig-security-release-possible-sandbox-bypass
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 5.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://symfony.com/blog/twig-security-release-possible-sandbox-bypass
11
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081561
reference_id 1081561
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081561
12
reference_url https://github.com/advisories/GHSA-6j75-5wfj-gh66
reference_id GHSA-6j75-5wfj-gh66
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6j75-5wfj-gh66
13
reference_url https://usn.ubuntu.com/7456-1/
reference_id USN-7456-1
reference_type
scores
url https://usn.ubuntu.com/7456-1/
14
reference_url https://usn.ubuntu.com/7549-1/
reference_id USN-7549-1
reference_type
scores
url https://usn.ubuntu.com/7549-1/
fixed_packages
0
url pkg:composer/twig/twig@1.44.8
purl pkg:composer/twig/twig@1.44.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1au7-86r7-8qdn
1
vulnerability VCID-cd24-q2ys-yfbe
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/twig/twig@1.44.8
1
url pkg:composer/twig/twig@2.16.1
purl pkg:composer/twig/twig@2.16.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1au7-86r7-8qdn
1
vulnerability VCID-cd24-q2ys-yfbe
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/twig/twig@2.16.1
2
url pkg:composer/twig/twig@3.0.0-BETA1
purl pkg:composer/twig/twig@3.0.0-BETA1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1au7-86r7-8qdn
1
vulnerability VCID-cd24-q2ys-yfbe
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/twig/twig@3.0.0-BETA1
3
url pkg:composer/twig/twig@3.11.1
purl pkg:composer/twig/twig@3.11.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1au7-86r7-8qdn
1
vulnerability VCID-cd24-q2ys-yfbe
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/twig/twig@3.11.1
4
url pkg:composer/twig/twig@3.14.0
purl pkg:composer/twig/twig@3.14.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1au7-86r7-8qdn
1
vulnerability VCID-cd24-q2ys-yfbe
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/twig/twig@3.14.0
aliases CVE-2024-45411, GHSA-6j75-5wfj-gh66
risk_score 3.9
exploitability 0.5
weighted_severity 7.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-etje-vrfw-nbh4
4
url VCID-qm9h-wdun-xkgx
vulnerability_id VCID-qm9h-wdun-xkgx
summary 
Code Injection
Remote code execution in templates.
references
0
reference_url https://symfony.com/blog/security-release-twig-1-20-0
reference_id
reference_type
scores
url https://symfony.com/blog/security-release-twig-1-20-0
fixed_packages
0
url pkg:composer/twig/twig@1.20.0
purl pkg:composer/twig/twig@1.20.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1au7-86r7-8qdn
1
vulnerability VCID-cd24-q2ys-yfbe
2
vulnerability VCID-etje-vrfw-nbh4
3
vulnerability VCID-ummk-h11z-bkaj
4
vulnerability VCID-xe7j-b1cs-eqct
5
vulnerability VCID-xscd-caaj-kqdk
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/twig/twig@1.20.0
aliases 2015-08-12
risk_score null
exploitability 0.5
weighted_severity 0.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qm9h-wdun-xkgx
5
url VCID-tgj6-umnp-nug2
vulnerability_id VCID-tgj6-umnp-nug2
summary 
Remote Code Execution
Your application is affected if you allow end users to submit Twig templates, even if you protected this template with Twig's sandbox mode. End users can craft valid Twig code that allows them to execute arbitrary code (RCEs) via the _self variable, which is always available, even in sandboxed templates.
references
0
reference_url https://github.com/twigphp/Twig/commit/30be07759a3de2558da5224f127d052ecf492e8f
reference_id
reference_type
scores
url https://github.com/twigphp/Twig/commit/30be07759a3de2558da5224f127d052ecf492e8f
1
reference_url https://github.com/twigphp/Twig/pull/1759
reference_id
reference_type
scores
url https://github.com/twigphp/Twig/pull/1759
2
reference_url https://symfony.com/blog/security-release-twig-1-20-0
reference_id
reference_type
scores
url https://symfony.com/blog/security-release-twig-1-20-0
fixed_packages
0
url pkg:composer/twig/twig@1.20.0
purl pkg:composer/twig/twig@1.20.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1au7-86r7-8qdn
1
vulnerability VCID-cd24-q2ys-yfbe
2
vulnerability VCID-etje-vrfw-nbh4
3
vulnerability VCID-ummk-h11z-bkaj
4
vulnerability VCID-xe7j-b1cs-eqct
5
vulnerability VCID-xscd-caaj-kqdk
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/twig/twig@1.20.0
aliases GMS-2015-19
risk_score null
exploitability 0.5
weighted_severity 0.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tgj6-umnp-nug2
6
url VCID-ummk-h11z-bkaj
vulnerability_id VCID-ummk-h11z-bkaj
summary 
Twig may load a template outside a configured directory when using the filesystem loader
# Description

When using the filesystem loader to load templates for which the name is a user input, it is possible to use the `source` or `include` statement to read arbitrary files from outside the templates directory when using a namespace like `@somewhere/../some.file` (in such a case, validation is bypassed).

# Resolution

We fixed validation for such template names.

Even if the 1.x branch is not maintained anymore, a new version has been released.

# Credits

We would like to thank Dariusz Tytko for reporting the issue and Fabien Potencier for fixing the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-39261
reference_id
reference_type
scores
0
value 0.09505
scoring_system epss
scoring_elements 0.92815
published_at 2026-04-02T12:55:00Z
1
value 0.09505
scoring_system epss
scoring_elements 0.92847
published_at 2026-04-18T12:55:00Z
2
value 0.09505
scoring_system epss
scoring_elements 0.92846
published_at 2026-04-16T12:55:00Z
3
value 0.09505
scoring_system epss
scoring_elements 0.92835
published_at 2026-04-13T12:55:00Z
4
value 0.09505
scoring_system epss
scoring_elements 0.92831
published_at 2026-04-09T12:55:00Z
5
value 0.09505
scoring_system epss
scoring_elements 0.92827
published_at 2026-04-08T12:55:00Z
6
value 0.09505
scoring_system epss
scoring_elements 0.92818
published_at 2026-04-07T12:55:00Z
7
value 0.09505
scoring_system epss
scoring_elements 0.9282
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-39261
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39261
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39261
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2022-39261.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2022-39261.yaml
3
reference_url https://github.com/twigphp/Twig
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/twigphp/Twig
4
reference_url https://github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0b
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:56Z/
url https://github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0b
5
reference_url https://github.com/twigphp/Twig/security/advisories/GHSA-52m2-vc4m-jj33
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:56Z/
url https://github.com/twigphp/Twig/security/advisories/GHSA-52m2-vc4m-jj33
6
reference_url https://lists.debian.org/debian-lts-announce/2022/10/msg00016.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:56Z/
url https://lists.debian.org/debian-lts-announce/2022/10/msg00016.html
7
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2OKRUHPVLIQVFPPJ2UWC3WV3WQO763NR
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2OKRUHPVLIQVFPPJ2UWC3WV3WQO763NR
8
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2OKRUHPVLIQVFPPJ2UWC3WV3WQO763NR/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2OKRUHPVLIQVFPPJ2UWC3WV3WQO763NR/
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUVTXMNPSZAHS3DWZEM56V5W4NPVR6L7
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUVTXMNPSZAHS3DWZEM56V5W4NPVR6L7
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUVTXMNPSZAHS3DWZEM56V5W4NPVR6L7/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUVTXMNPSZAHS3DWZEM56V5W4NPVR6L7/
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWRFPZSR74SYVJKBTKTMYUK36IJ3SQJP
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWRFPZSR74SYVJKBTKTMYUK36IJ3SQJP
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWRFPZSR74SYVJKBTKTMYUK36IJ3SQJP/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWRFPZSR74SYVJKBTKTMYUK36IJ3SQJP/
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TW53TFJ6WWNXMUHOFACKATJTS7NIHVQE
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TW53TFJ6WWNXMUHOFACKATJTS7NIHVQE
14
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TW53TFJ6WWNXMUHOFACKATJTS7NIHVQE/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TW53TFJ6WWNXMUHOFACKATJTS7NIHVQE/
15
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WV5TNNJLGG536TJH6DLCIAAZZIPV2GUD
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WV5TNNJLGG536TJH6DLCIAAZZIPV2GUD
16
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WV5TNNJLGG536TJH6DLCIAAZZIPV2GUD/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WV5TNNJLGG536TJH6DLCIAAZZIPV2GUD/
17
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YU4ZYX62H2NUAKKGUES4RZIM4KMTKZ7F
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YU4ZYX62H2NUAKKGUES4RZIM4KMTKZ7F
18
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YU4ZYX62H2NUAKKGUES4RZIM4KMTKZ7F/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YU4ZYX62H2NUAKKGUES4RZIM4KMTKZ7F/
19
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-39261
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-39261
20
reference_url https://symfony.com/blog/twig-security-release-possibility-to-load-a-template-outside-a-configured-directory-when-using-the-filesystem-loader
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://symfony.com/blog/twig-security-release-possibility-to-load-a-template-outside-a-configured-directory-when-using-the-filesystem-loader
21
reference_url https://www.debian.org/security/2022/dsa-5248
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:56Z/
url https://www.debian.org/security/2022/dsa-5248
22
reference_url https://www.drupal.org/sa-core-2022-016
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:56Z/
url https://www.drupal.org/sa-core-2022-016
23
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1020991
reference_id 1020991
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1020991
24
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2OKRUHPVLIQVFPPJ2UWC3WV3WQO763NR/
reference_id 2OKRUHPVLIQVFPPJ2UWC3WV3WQO763NR
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:56Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2OKRUHPVLIQVFPPJ2UWC3WV3WQO763NR/
25
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUVTXMNPSZAHS3DWZEM56V5W4NPVR6L7/
reference_id AUVTXMNPSZAHS3DWZEM56V5W4NPVR6L7
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:56Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUVTXMNPSZAHS3DWZEM56V5W4NPVR6L7/
26
reference_url https://github.com/advisories/GHSA-52m2-vc4m-jj33
reference_id GHSA-52m2-vc4m-jj33
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-52m2-vc4m-jj33
27
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NWRFPZSR74SYVJKBTKTMYUK36IJ3SQJP/
reference_id NWRFPZSR74SYVJKBTKTMYUK36IJ3SQJP
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:56Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NWRFPZSR74SYVJKBTKTMYUK36IJ3SQJP/
28
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TW53TFJ6WWNXMUHOFACKATJTS7NIHVQE/
reference_id TW53TFJ6WWNXMUHOFACKATJTS7NIHVQE
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:56Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TW53TFJ6WWNXMUHOFACKATJTS7NIHVQE/
29
reference_url https://usn.ubuntu.com/5947-1/
reference_id USN-5947-1
reference_type
scores
url https://usn.ubuntu.com/5947-1/
30
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WV5TNNJLGG536TJH6DLCIAAZZIPV2GUD/
reference_id WV5TNNJLGG536TJH6DLCIAAZZIPV2GUD
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:56Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WV5TNNJLGG536TJH6DLCIAAZZIPV2GUD/
31
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YU4ZYX62H2NUAKKGUES4RZIM4KMTKZ7F/
reference_id YU4ZYX62H2NUAKKGUES4RZIM4KMTKZ7F
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:56Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YU4ZYX62H2NUAKKGUES4RZIM4KMTKZ7F/
fixed_packages
0
url pkg:composer/twig/twig@1.44.7
purl pkg:composer/twig/twig@1.44.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1au7-86r7-8qdn
1
vulnerability VCID-cd24-q2ys-yfbe
2
vulnerability VCID-etje-vrfw-nbh4
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/twig/twig@1.44.7
1
url pkg:composer/twig/twig@2.15.3
purl pkg:composer/twig/twig@2.15.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1au7-86r7-8qdn
1
vulnerability VCID-cd24-q2ys-yfbe
2
vulnerability VCID-etje-vrfw-nbh4
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/twig/twig@2.15.3
2
url pkg:composer/twig/twig@3.0.0-BETA1
purl pkg:composer/twig/twig@3.0.0-BETA1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1au7-86r7-8qdn
1
vulnerability VCID-cd24-q2ys-yfbe
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/twig/twig@3.0.0-BETA1
3
url pkg:composer/twig/twig@3.4.3
purl pkg:composer/twig/twig@3.4.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1au7-86r7-8qdn
1
vulnerability VCID-cd24-q2ys-yfbe
2
vulnerability VCID-etje-vrfw-nbh4
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/twig/twig@3.4.3
aliases CVE-2022-39261, GHSA-52m2-vc4m-jj33
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ummk-h11z-bkaj
7
url VCID-xe7j-b1cs-eqct
vulnerability_id VCID-xe7j-b1cs-eqct
summary Sandbox Information Disclosure.
references
0
reference_url https://symfony.com/blog/twig-sandbox-information-disclosure
reference_id
reference_type
scores
url https://symfony.com/blog/twig-sandbox-information-disclosure
fixed_packages
0
url pkg:composer/twig/twig@1.38.0
purl pkg:composer/twig/twig@1.38.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1au7-86r7-8qdn
1
vulnerability VCID-cd24-q2ys-yfbe
2
vulnerability VCID-etje-vrfw-nbh4
3
vulnerability VCID-ummk-h11z-bkaj
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/twig/twig@1.38.0
1
url pkg:composer/twig/twig@2.7.0
purl pkg:composer/twig/twig@2.7.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1au7-86r7-8qdn
1
vulnerability VCID-cd24-q2ys-yfbe
2
vulnerability VCID-etje-vrfw-nbh4
3
vulnerability VCID-ummk-h11z-bkaj
4
vulnerability VCID-yypq-j9mx-6qa4
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/twig/twig@2.7.0
aliases 2019-03-12
risk_score null
exploitability 0.5
weighted_severity 0.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xe7j-b1cs-eqct
8
url VCID-xscd-caaj-kqdk
vulnerability_id VCID-xscd-caaj-kqdk
summary 
Information Exposure
Under some circumstances, it is possible to call the `__toString()` method on an object even if not allowed by the security policy in place.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-9942
reference_id
reference_type
scores
0
value 0.0042
scoring_system epss
scoring_elements 0.61874
published_at 2026-04-07T12:55:00Z
1
value 0.0042
scoring_system epss
scoring_elements 0.61977
published_at 2026-04-18T12:55:00Z
2
value 0.0042
scoring_system epss
scoring_elements 0.61972
published_at 2026-04-16T12:55:00Z
3
value 0.0042
scoring_system epss
scoring_elements 0.6193
published_at 2026-04-13T12:55:00Z
4
value 0.0042
scoring_system epss
scoring_elements 0.6195
published_at 2026-04-12T12:55:00Z
5
value 0.0042
scoring_system epss
scoring_elements 0.61798
published_at 2026-04-01T12:55:00Z
6
value 0.0042
scoring_system epss
scoring_elements 0.61872
published_at 2026-04-02T12:55:00Z
7
value 0.0042
scoring_system epss
scoring_elements 0.61903
published_at 2026-04-04T12:55:00Z
8
value 0.0042
scoring_system epss
scoring_elements 0.61962
published_at 2026-04-11T12:55:00Z
9
value 0.0042
scoring_system epss
scoring_elements 0.6194
published_at 2026-04-09T12:55:00Z
10
value 0.0042
scoring_system epss
scoring_elements 0.61923
published_at 2026-04-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-9942
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9942
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9942
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2019-9942.yaml
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2019-9942.yaml
3
reference_url https://github.com/twigphp/Twig
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/twigphp/Twig
4
reference_url https://github.com/twigphp/Twig/commit/eac5422956e1dcca89a3669a03a3ff32f0502077
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/twigphp/Twig/commit/eac5422956e1dcca89a3669a03a3ff32f0502077
5
reference_url https://seclists.org/bugtraq/2019/Mar/60
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://seclists.org/bugtraq/2019/Mar/60
6
reference_url https://symfony.com/blog/twig-sandbox-information-disclosure
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://symfony.com/blog/twig-sandbox-information-disclosure
7
reference_url https://www.debian.org/security/2019/dsa-4419
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2019/dsa-4419
8
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:symfony:twig:*:*:*:*:*:*:*:*
reference_id cpe:2.3:a:symfony:twig:*:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:symfony:twig:*:*:*:*:*:*:*:*
9
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
reference_id cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-9942
reference_id CVE-2019-9942
reference_type
scores
0
value 4.3
scoring_system cvssv2
scoring_elements AV:N/AC:M/Au:N/C:P/I:N/A:N
1
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-9942
11
reference_url https://github.com/advisories/GHSA-vxrc-68xx-x48g
reference_id GHSA-vxrc-68xx-x48g
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vxrc-68xx-x48g
12
reference_url https://usn.ubuntu.com/5947-1/
reference_id USN-5947-1
reference_type
scores
url https://usn.ubuntu.com/5947-1/
fixed_packages
0
url pkg:composer/twig/twig@1.38.0
purl pkg:composer/twig/twig@1.38.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1au7-86r7-8qdn
1
vulnerability VCID-cd24-q2ys-yfbe
2
vulnerability VCID-etje-vrfw-nbh4
3
vulnerability VCID-ummk-h11z-bkaj
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/twig/twig@1.38.0
1
url pkg:composer/twig/twig@2.7.0
purl pkg:composer/twig/twig@2.7.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1au7-86r7-8qdn
1
vulnerability VCID-cd24-q2ys-yfbe
2
vulnerability VCID-etje-vrfw-nbh4
3
vulnerability VCID-ummk-h11z-bkaj
4
vulnerability VCID-yypq-j9mx-6qa4
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/twig/twig@2.7.0
aliases CVE-2019-9942, GHSA-vxrc-68xx-x48g
risk_score 1.9
exploitability 0.5
weighted_severity 3.9
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xscd-caaj-kqdk
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/twig/twig@1.18.1