CVEFinder.io

CVE-2015-7809

đŸ”ļ medium
🔍 Scan for this CVE
Summary

The displayBlock function Template.php in Sensio Labs Twig before 1.20.0, when Sandbox mode is enabled, allows remote attackers to execute arbitrary code via the _self variable in a template.

CVSS Score
6.8
Medium
EPSS Score
2.0
Exploit Probability
Published Date
2015-11-06
First Seen: 2026-01-05
📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 48.8% of all 330,193 vulnerabilities in our database.

#169,083
Below average severity
Severity Percentile
Last Modified 2025-04-12
Source NVD 🔗
CWE IDs (Weakness Types)
CWE-264

đŸ“Ļ Affected Products 1

Vendor Product Status Affected Versions
symfony twig Affected
≤ 1.19.0

🔗 References 6

http://openwall.com/lists/oss-security/2015/08/21/3
http://openwall.com/lists/oss-security/2015/10/11/2
http://symfony.com/blog/security-release-twig-1-20-0
Vendor Advisory
http://www.debian.org/security/2015/dsa-3343
https://github.com/fabpot/Twig/commit/30be07759a3de2...
https://github.com/twigphp/Twig/pull/1759

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-24425 ⚠ī¸ high 8.8 0.1 Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface ... 2026-05-20
CVE-2024-45411 ⚠ī¸ high 8.5 0.1 Twig is a template language for PHP. Under some circumstances, the sandbox security checks are not run which allows user... 2024-09-09
CVE-2022-39261 ⚠ī¸ high 7.5 2.3 Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter... 2022-09-28
CVE-2022-23614 ⚠ī¸ high 8.8 34.9 Twig is an open source template language for PHP. When in a sandbox mode, the `arrow` parameter of the `sort` filter mus... 2022-02-04
CVE-2019-9942 ℹī¸ low 3.7 0.3 A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it... 2019-03-23
CVE-2018-13818 ⛔ critical 9.8 0.5 Twig before 2.4.4 allows Server-Side Template Injection (SSTI) via the search search_key parameter. NOTE: the vendor poi... 2018-07-10
These CVEs affect the same products