Twig/twig

This hub aggregates every CVE we track for Twig/twig, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 8 most recently published vulnerabilities affecting Twig/twig.

• CVE-2025-24374Twig fixes a security issue where escaping was missing when using null coalesce operator (??)4.3Jan 29, 2025
• CVE-2024-51754Unguarded calls to __toString() when nesting an object into an array in Twig2.2Nov 6, 2024
• CVE-2024-51755Unguarded calls to __isset() and to array-accesses when the sandbox is enabled in Twig2.2Nov 6, 2024
• CVE-2024-45411Twig has a possible sandbox bypass8.5Sep 9, 2024
• CVE-2022-39261Twig may load a template outside a configured directory when using the filesystem loader7.5Sep 28, 2022
• CVE-2022-23614Code injection in Twig8.8Feb 4, 2022
• CVE-2019-9942A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed...3.7Mar 23, 2019
• CVE-2015-7809The displayBlock function Template.php in Sensio Labs Twig before 1.20.0, when Sandbox mode is enabled, allows remote attackers to execute arbitrary code via the _self variable in a template.6.8Nov 6, 2015