CVEFinder.io

CVE-2024-45411

⚠ī¸ high
🔍 Scan for this CVE
Summary

Twig is a template language for PHP. Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. This vulnerability is fixed in 1.44.8, 2.16.1, and 3.14.0.

CVSS Score
8.5
High
EPSS Score
0.1
Exploit Probability
Published Date
2024-09-09
First Seen: 2026-01-05
📊 Relative Risk Intelligence

This CVE is High Risk - more severe than 80.5% of all 330,193 vulnerabilities in our database.

#64,337
Top 25% most severe
Severity Percentile
đŸŽ¯ CISA SSVC Assessment Updated: Sep 9, 2024
🔍 Exploitation Status
None
No known exploits
⚙ī¸ Automatable
NO
Requires human interaction
đŸ’Ĩ Technical Impact
Total
Complete system compromise possible
SSVC data provided by CISA
Last Modified 2024-11-21
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE IDs (Weakness Types)
CWE-693

đŸ“Ļ Affected Products 3

Vendor Product Status Affected Versions
symfony twig Affected
≥ 1.0.0 < 1.44.8
symfony twig Affected
≥ 2.0.0 < 2.16.1
symfony twig Affected
≥ 3.0.0 < 3.14.0

🔗 References 5

https://github.com/twigphp/Twig/commit/11f68e2aeb526...
Patch
https://github.com/twigphp/Twig/commit/2102dd135986d...
Patch
https://github.com/twigphp/Twig/commit/7afa198603de4...
Patch
https://github.com/twigphp/Twig/security/advisories/...
Vendor Advisory
https://lists.debian.org/debian-lts-announce/2024/09...

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-24425 ⚠ī¸ high 8.8 0.1 Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface ... 2026-05-20
CVE-2022-39261 ⚠ī¸ high 7.5 2.3 Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter... 2022-09-28
CVE-2022-23614 ⚠ī¸ high 8.8 34.9 Twig is an open source template language for PHP. When in a sandbox mode, the `arrow` parameter of the `sort` filter mus... 2022-02-04
CVE-2019-9942 ℹī¸ low 3.7 0.3 A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it... 2019-03-23
CVE-2018-13818 ⛔ critical 9.8 0.5 Twig before 2.4.4 allows Server-Side Template Injection (SSTI) via the search search_key parameter. NOTE: the vendor poi... 2018-07-10
CVE-2015-7809 đŸ”ļ medium 6.8 2.0 The displayBlock function Template.php in Sensio Labs Twig before 1.20.0, when Sandbox mode is enabled, allows remote at... 2015-11-06
These CVEs affect the same products