Search CVE reports
11 – 20 of 27 results
Twig is a template language for PHP. Prior to 3.26.0, several filters in twig/markdown-extra and twig/cssinliner-extra are registered with is_safe => [all], causing Twig to treat plain text or HTML output as safe in...
1 affected package
php-twig
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| php-twig | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | — |
Twig is a template language for PHP. Prior to 3.26.0, the column filter passes object arrays to PHP array_column(), which reads public and magic properties without reaching CoreExtension::getAttribute()...
1 affected package
php-twig
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| php-twig | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | — |
Twig is a template language for PHP. From 3.9.0 until 3.26.0, template_from_string() compiles an inner template under a synthesized __string_template__<hash> name that can fall outside a SourcePolicyInterface sandbox decision,...
1 affected package
php-twig
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| php-twig | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | — |
Twig is a template language for PHP. Prior to 3.26.0, Compiler::string() does not escape single quotes when a template name from a {% use %} tag is placed inside a PHP single-quoted string literal, allowing a crafted template name...
1 affected package
php-twig
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| php-twig | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | — |
Twig is a template language for PHP. Prior to 3.26.0, twig/intl-extra memoises IntlDateFormatter and NumberFormatter instances in arrays keyed by template-controlled filter arguments such as locale, pattern, and attrs, allowing a...
1 affected package
php-twig
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| php-twig | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | — |
Twig is a template language for PHP. Prior to 3.26.0, the deprecated spaceless filter is registered as safe for HTML, causing Twig autoescaping to emit attacker-controlled markup unescaped when spaceless is applied to untrusted...
1 affected package
php-twig
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| php-twig | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | — |
Twig is a template language for PHP. Prior to 3.26.0, the Twig sandbox does not prevent a template from consuming CPU, memory, or wall-clock time, even under the strictest allow-list, allowing untrusted templates to cause resource...
1 affected package
php-twig
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| php-twig | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | — |
[Unknown description]
1 affected package
php-twig
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| php-twig | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | — |
Some fixes available 1 of 2
Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary PHP callables to sort, filter,...
1 affected package
php-twig
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| php-twig | Fixed | Not affected | Not affected | Not affected | — |
Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0.
2 affected packages
php-twig, twig
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| php-twig | Not affected | Not affected | Not affected | Not affected | — |
| twig | Not in release | Not in release | Not in release | Not in release | Needs evaluation |