CVE-2018-13818

CRITICAL

symfony/twig < 2.4.4 - Server-Side Template Injection via search_key Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-13818. PoCs published by JameelNabbo.

AI-analyzed exploit summary This is a writeup describing a Server-Side Template Injection (SSTI) vulnerability in Twig versions prior to 2.4.4. It explains how attackers can execute arbitrary commands by injecting Twig syntax into parameters, but does not include functional exploit code.

Description

Twig before 2.4.4 allows Server-Side Template Injection (SSTI) via the search search_key parameter. NOTE: the vendor points out that Twig itself is not a web application and states that it is the responsibility of web applications using Twig to properly wrap input to it

Exploits (1)

exploitdb WRITEUP
by JameelNabbo · textwebappsphp
https://www.exploit-db.com/exploits/44102

This is a writeup describing a Server-Side Template Injection (SSTI) vulnerability in Twig versions prior to 2.4.4. It explains how attackers can execute arbitrary commands by injecting Twig syntax into parameters, but does not include functional exploit code.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Twig < 2.4.4
No auth needed
Prerequisites: A vulnerable Twig application that processes user input in a template context
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44102/
Exploit, Third Party Advisory x_refsource_misc
https://github.com/twigphp/Twig/issues/2743
Exploit, Third Party Advisory x_refsource_misc
https://mobile.twitter.com/jameel_nabbo/status/1032593354704515072?s=20

Scores

CVSS v3 9.8
EPSS 0.0699
EPSS Percentile 93.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-94
Status published
Products (1)
symfony/twig < 2.4.4
Published Jul 10, 2018
Tracked Since Feb 18, 2026