{"api_version":"1","generated_at":"2026-04-23T02:37:33+00:00","cve":"CVE-2022-39261","urls":{"html":"https://cve.report/CVE-2022-39261","api":"https://cve.report/api/cve/CVE-2022-39261.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-39261","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-39261"},"summary":{"title":"CVE-2022-39261","description":"Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2022-09-28 14:15:00","updated_at":"2023-11-07 03:50:00"},"problem_types":["CWE-22"],"metrics":[],"references":[{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2OKRUHPVLIQVFPPJ2UWC3WV3WQO763NR/","name":"FEDORA-2022-d39b2a755b","refsource":"","tags":[],"title":"[SECURITY] Fedora 35 Update: php-twig2-2.15.3-1.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00016.html","name":"[debian-lts-announce] 20221011 [SECURITY] [DLA 3147-1] twig security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3147-1] twig security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TW53TFJ6WWNXMUHOFACKATJTS7NIHVQE/","name":"FEDORA-2022-c6fe3ebd94","refsource":"","tags":[],"title":"[SECURITY] Fedora 37 Update: php-twig-1.44.7-1.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.drupal.org/sa-core-2022-016","name":"https://www.drupal.org/sa-core-2022-016","refsource":"CONFIRM","tags":[],"title":"Access to this page has been denied.","mime":"text/html","httpstatus":"403","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YU4ZYX62H2NUAKKGUES4RZIM4KMTKZ7F/","name":"FEDORA-2022-1695454935","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 36 Update: php-twig-1.44.7-1.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUVTXMNPSZAHS3DWZEM56V5W4NPVR6L7/","name":"FEDORA-2022-4490a4772d","refsource":"","tags":[],"title":"[SECURITY] Fedora 35 Update: php-twig-1.44.7-1.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WV5TNNJLGG536TJH6DLCIAAZZIPV2GUD/","name":"FEDORA-2022-73b9fb7a77","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 37 Update: php-twig2-2.15.3-1.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0b","name":"https://github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0b","refsource":"MISC","tags":[],"title":"security #cve- Fix a security issue on filesystem loader (possibility… · twigphp/Twig@35f3035 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2OKRUHPVLIQVFPPJ2UWC3WV3WQO763NR/","name":"FEDORA-2022-d39b2a755b","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 35 Update: php-twig2-2.15.3-1.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.debian.org/security/2022/dsa-5248","name":"DSA-5248","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-5248-1 php-twig","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WV5TNNJLGG536TJH6DLCIAAZZIPV2GUD/","name":"FEDORA-2022-73b9fb7a77","refsource":"","tags":[],"title":"[SECURITY] Fedora 37 Update: php-twig2-2.15.3-1.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUVTXMNPSZAHS3DWZEM56V5W4NPVR6L7/","name":"FEDORA-2022-4490a4772d","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 35 Update: php-twig-1.44.7-1.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWRFPZSR74SYVJKBTKTMYUK36IJ3SQJP/","name":"FEDORA-2022-9d8ee4a6de","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 36 Update: php-twig2-2.15.3-1.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TW53TFJ6WWNXMUHOFACKATJTS7NIHVQE/","name":"FEDORA-2022-c6fe3ebd94","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 37 Update: php-twig-1.44.7-1.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YU4ZYX62H2NUAKKGUES4RZIM4KMTKZ7F/","name":"FEDORA-2022-1695454935","refsource":"","tags":[],"title":"[SECURITY] Fedora 36 Update: php-twig-1.44.7-1.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/twigphp/Twig/security/advisories/GHSA-52m2-vc4m-jj33","name":"https://github.com/twigphp/Twig/security/advisories/GHSA-52m2-vc4m-jj33","refsource":"CONFIRM","tags":[],"title":"Possibility to load a template outside a configured directory when using the filesystem loader · Advisory · twigphp/Twig · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NWRFPZSR74SYVJKBTKTMYUK36IJ3SQJP/","name":"FEDORA-2022-9d8ee4a6de","refsource":"","tags":[],"title":"[SECURITY] Fedora 36 Update: php-twig2-2.15.3-1.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-39261","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-39261","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"39261","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"39261","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"11.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"39261","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"drupal","cpe5":"drupal","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"39261","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"35","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"39261","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"36","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"39261","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"37","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"39261","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"symfony","cpe5":"twig","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-39261","qid":"154123","title":"Drupal Core: Twig Template Path Traversal Vulnerability (CVE-2022-39261)"},{"cve":"CVE-2022-39261","qid":"181128","title":"Debian Security Update for twig (DLA 3147-1)"},{"cve":"CVE-2022-39261","qid":"184290","title":"Debian Security Update for php-twig (CVE-2022-39261)"},{"cve":"CVE-2022-39261","qid":"199472","title":"Ubuntu Security Notification for Twig Vulnerabilities (USN-5947-1)"},{"cve":"CVE-2022-39261","qid":"283183","title":"Fedora Security Update for Hypertext Preprocessor (PHP) (FEDORA-2022-d39b2a755b)"},{"cve":"CVE-2022-39261","qid":"283184","title":"Fedora Security Update for Hypertext Preprocessor (PHP) (FEDORA-2022-9d8ee4a6de)"},{"cve":"CVE-2022-39261","qid":"283186","title":"Fedora Security Update for Hypertext Preprocessor (PHP) (FEDORA-2022-4490a4772d)"},{"cve":"CVE-2022-39261","qid":"283187","title":"Fedora Security Update for Hypertext Preprocessor (PHP) (FEDORA-2022-1695454935)"},{"cve":"CVE-2022-39261","qid":"730620","title":"Drupal Core Multiple vulnerabilities Vulnerability (SA-CORE-2022-016)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security-advisories@github.com","ID":"CVE-2022-39261","STATE":"PUBLIC","TITLE":"Twig may load a template outside a configured directory when using the filesystem loader"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Twig","version":{"version_data":[{"version_value":"=> 1.0.0, < 1.44.7"},{"version_value":">= 2.0.0, < 2.15.3"},{"version_value":">= 3.0.0, < 3.4.3"}]}}]},"vendor_name":"twigphp"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading."}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}]},"references":{"reference_data":[{"name":"https://github.com/twigphp/Twig/security/advisories/GHSA-52m2-vc4m-jj33","refsource":"CONFIRM","url":"https://github.com/twigphp/Twig/security/advisories/GHSA-52m2-vc4m-jj33"},{"name":"https://github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0b","refsource":"MISC","url":"https://github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0b"},{"refsource":"CONFIRM","name":"https://www.drupal.org/sa-core-2022-016","url":"https://www.drupal.org/sa-core-2022-016"},{"refsource":"DEBIAN","name":"DSA-5248","url":"https://www.debian.org/security/2022/dsa-5248"},{"refsource":"FEDORA","name":"FEDORA-2022-4490a4772d","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUVTXMNPSZAHS3DWZEM56V5W4NPVR6L7/"},{"refsource":"FEDORA","name":"FEDORA-2022-d39b2a755b","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2OKRUHPVLIQVFPPJ2UWC3WV3WQO763NR/"},{"refsource":"FEDORA","name":"FEDORA-2022-1695454935","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YU4ZYX62H2NUAKKGUES4RZIM4KMTKZ7F/"},{"refsource":"FEDORA","name":"FEDORA-2022-9d8ee4a6de","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWRFPZSR74SYVJKBTKTMYUK36IJ3SQJP/"},{"refsource":"MLIST","name":"[debian-lts-announce] 20221011 [SECURITY] [DLA 3147-1] twig security update","url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00016.html"},{"refsource":"FEDORA","name":"FEDORA-2022-c6fe3ebd94","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TW53TFJ6WWNXMUHOFACKATJTS7NIHVQE/"},{"refsource":"FEDORA","name":"FEDORA-2022-73b9fb7a77","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WV5TNNJLGG536TJH6DLCIAAZZIPV2GUD/"}]},"source":{"advisory":"GHSA-52m2-vc4m-jj33","discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2022-09-28 14:15:00","lastModifiedDate":"2023-11-07 03:50:00","problem_types":["CWE-22"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:symfony:twig:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0.0","versionEndExcluding":"3.4.3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:symfony:twig:*:*:*:*:*:*:*:*","versionStartIncluding":"2.0.0","versionEndExcluding":"2.15.3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:symfony:twig:*:*:*:*:*:*:*:*","versionStartIncluding":"1.0.0","versionEndExcluding":"1.44.7","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*","versionStartIncluding":"9.4.0","versionEndExcluding":"9.4.7","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*","versionStartIncluding":"8.0.0","versionEndExcluding":"9.3.22","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}