Twig
This hub aggregates every CVE we track for Twig, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.
15
CVEs tracked
1
Critical
8
High
0
In CISA KEV
Severity distribution
HIGH8LOW3MEDIUM3CRITICAL1
Monthly trend
0
1
0
2
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
2024-082026-07
Latest CVEs
The 15 most recently published vulnerabilities affecting Twig.
- CVE-2026-24425Twig 2.16.x & 3.9.0-3.25.x Sandbox Bypass via SourcePolicyInterface8.8
- CVE-2025-24374Twig fixes a security issue where escaping was missing when using null coalesce operator (??)4.3
- CVE-2024-51754Unguarded calls to __toString() when nesting an object into an array in Twig2.2
- CVE-2024-51755Unguarded calls to __isset() and to array-accesses when the sandbox is enabled in Twig2.2
- CVE-2024-45411Twig has a possible sandbox bypass8.5
- CVE-2023-46734Symfony potential Cross-site Scripting vulnerabilities in CodeExtension filters6.1
- CVE-2022-39261Twig may load a template outside a configured directory when using the filesystem loader7.5
- CVE-2022-23614Code injection in Twig8.8
- CVE-2019-9942A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed...3.7
- CVE-2018-13818Twig before 2.4.4 allows Server-Side Template Injection (SSTI) via the search search_key parameter. NOTE: the vendor points out that Twig itself is not a web application and states that it is the r...9.8
- CVE-2015-7809The displayBlock function Template.php in Sensio Labs Twig before 1.20.0, when Sandbox mode is enabled, allows remote attackers to execute arbitrary code via the _self variable in a template.6.8
- CVE-2001-1537The default "basic" security setting' in config.php for TWIG webmail 2.7.4 and earlier stores cleartext usernames and passwords in cookies, which could allow attackers to obtain authentication info...7.5
- CVE-2000-1166Twig webmail system does not properly set the "vhosts" variable if it is not configured on the site, which allows remote attackers to insert arbitrary PHP (PHP3) code by specifying an alternate vho...7.5
- CVE-2001-1361Vulnerability in The Web Information Gateway (TWIG) 2.7.1, possibly related to incorrect security rights and/or the generation of mailto links.7.5
- CVE-2001-1348TWIG 2.6.2 and earlier allows remote attackers to perform unauthorized database operations via a SQL injection attack on the id parameter.7.5
Product normalization is registry-driven with AI assist and human review. How it works