{"api_version":"1","generated_at":"2026-04-23T07:56:24+00:00","cve":"CVE-2018-13818","urls":{"html":"https://cve.report/CVE-2018-13818","api":"https://cve.report/api/cve/CVE-2018-13818.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-13818","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-13818"},"summary":{"title":"CVE-2018-13818","description":"** DISPUTED ** Twig before 2.4.4 allows Server-Side Template Injection (SSTI) via the search search_key parameter. NOTE: the vendor points out that Twig itself is not a web application and states that it is the responsibility of web applications using Twig to properly wrap input to it.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2018-07-10 14:29:00","updated_at":"2023-11-07 02:52:00"},"problem_types":["CWE-94"],"metrics":[],"references":[{"url":"https://github.com/twigphp/Twig/blob/2.x/CHANGELOG","name":"https://github.com/twigphp/Twig/blob/2.x/CHANGELOG","refsource":"MISC","tags":["Release Notes"],"title":"Twig/CHANGELOG at 2.x · twigphp/Twig · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/twigphp/Twig/issues/2743","name":"https://github.com/twigphp/Twig/issues/2743","refsource":"MISC","tags":["Exploit","Third Party Advisory"],"title":"CVE-2018-13818 · Issue #2743 · twigphp/Twig · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://mobile.twitter.com/jameel_nabbo/status/1032593354704515072?s=20","name":"https://mobile.twitter.com/jameel_nabbo/status/1032593354704515072?s=20","refsource":"MISC","tags":["Exploit","Third Party Advisory"],"title":"Jameel Nabbo na Twitterze: \"hahaha, the idea I've done it in BlackBox testing, But I'll give the way of finding it,\nIf the system is using Twig, all you have to do is simply by intercepting the requests by @Burp_Suite  and look to any Param that accept GET/POST and put the following{{2+2}} if you saw 4 :)… https://t.co/RFFg7xrqPP\"","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.exploit-db.com/exploits/44102/","name":"44102","refsource":"EXPLOIT-DB","tags":["Exploit","Third Party Advisory","VDB Entry"],"title":"Twig < 2.4.4 - Server Side Template Injection - PHP webapps Exploit","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://github.com/twigphp/Twig/commit/eddb97148ad779f27e670e1e3f19fb323aedafeb","name":"https://github.com/twigphp/Twig/commit/eddb97148ad779f27e670e1e3f19fb323aedafeb","refsource":"MISC","tags":["Patch","Third Party Advisory"],"title":"prepared the 2.4.4 release · twigphp/Twig@eddb971 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-13818","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-13818","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"13818","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"symfony","cpe5":"twig","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"13818","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"symfony","cpe5":"twig","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2018-13818","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"** DISPUTED ** Twig before 2.4.4 allows Server-Side Template Injection (SSTI) via the search search_key parameter. NOTE: the vendor points out that Twig itself is not a web application and states that it is the responsibility of web applications using Twig to properly wrap input to it."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"https://github.com/twigphp/Twig/blob/2.x/CHANGELOG","refsource":"MISC","url":"https://github.com/twigphp/Twig/blob/2.x/CHANGELOG"},{"name":"https://github.com/twigphp/Twig/commit/eddb97148ad779f27e670e1e3f19fb323aedafeb","refsource":"MISC","url":"https://github.com/twigphp/Twig/commit/eddb97148ad779f27e670e1e3f19fb323aedafeb"},{"name":"44102","refsource":"EXPLOIT-DB","url":"https://www.exploit-db.com/exploits/44102/"},{"name":"https://github.com/twigphp/Twig/issues/2743","refsource":"MISC","url":"https://github.com/twigphp/Twig/issues/2743"},{"name":"https://mobile.twitter.com/jameel_nabbo/status/1032593354704515072?s=20","refsource":"MISC","url":"https://mobile.twitter.com/jameel_nabbo/status/1032593354704515072?s=20"}]}},"nvd":{"publishedDate":"2018-07-10 14:29:00","lastModifiedDate":"2023-11-07 02:52:00","problem_types":["CWE-94"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":7.5},"severity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:symfony:twig:*:*:*:*:*:*:*:*","versionEndExcluding":"2.4.4","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"13818","Ordinal":"130481","Title":"CVE-2018-13818","CVE":"CVE-2018-13818","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"13818","Ordinal":"1","NoteData":"** DISPUTED ** Twig before 2.4.4 allows Server-Side Template Injection (SSTI) via the search search_key parameter. NOTE: the vendor points out that Twig itself is not a web application and states that it is the responsibility of web applications using Twig to properly wrap input to it.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"13818","Ordinal":"2","NoteData":"2018-07-10","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"13818","Ordinal":"3","NoteData":"2018-09-21","Type":"Other","Title":"Modified"}]}}}