CVEFinder.io

CVE-2019-9942

ℹī¸ low
🔍 Scan for this CVE
Summary

A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed by the security policy in place.

CVSS Score
3.7
Low
EPSS Score
0.3
Exploit Probability
Published Date
2019-03-23
First Seen: 2026-01-05
📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 4.0% of all 330,193 vulnerabilities in our database.

#317,086
Below average severity
Severity Percentile
Last Modified 2024-11-21
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

đŸ“Ļ Affected Products 3

Vendor Product Status Affected Versions
debian debian_linux Affected
v9.0
symfony twig Affected
< 1.38.0
symfony twig Affected
≥ 2.0.0 < 2.7.0

🔗 References 4

https://github.com/twigphp/Twig/commit/eac5422956e1d...
Patch Third Party Advisory
https://seclists.org/bugtraq/2019/Mar/60
Mailing List Third Party Advisory
https://symfony.com/blog/twig-sandbox-information-di...
Patch Vendor Advisory
https://www.debian.org/security/2019/dsa-4419
Third Party Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-49975 ⚠ī¸ high 7.5 9.9 Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service vi... 2026-06-08
CVE-2026-24425 ⚠ī¸ high 8.8 0.1 Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface ... 2026-05-20
CVE-2026-31431 ⚠ī¸ high 7.8 2.2 In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-pla... 2026-04-22
CVE-2026-4775 ⚠ī¸ high 7.8 0.6 A flaw was found in the libtiff library. A remote attacker could exploit a signed integer overflow vulnerability in the ... 2026-03-24
CVE-2026-1940 đŸ”ļ medium 5.1 0.0 An incomplete fix for CVE-2024-47778 allows an out-of-bounds read in gst_wavparse_adtl_chunk() function. The patch added... 2026-03-23
CVE-2025-63261 ⚠ī¸ high 7.8 0.1 AWStats 8.0 is vulnerable to Command Injection via the open function 2026-03-20
These CVEs affect the same products