Description
Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/twigphp/Twig/security/advisories/GHSA-3xg3-cgvq-2xwr
Patch x_refsource_misc
https://github.com/twigphp/Twig/commit/38576b12f05df3cc871bf68f39ccb46b418334a3
Scores
CVSS v3
4.3
EPSS
0.0030
EPSS Percentile
52.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-74
Status
published
Products (2)
twig/twig
3.16.0 - 3.19.0Packagist
twigphp/Twig
>= 3.16.0, < 3.19.0
Published
Jan 29, 2025
Tracked Since
Feb 18, 2026