What is CVE-2022-39261?

CVE-2022-39261 is a high-severity vulnerability in Twigphp Twig, classified under Path Traversal. CVSS score: 7.5/10. Published 2022-09-28.

How severe is CVE-2022-39261?

High severity. CVSS v3 base score is 7.5 out of 10.

Is CVE-2022-39261 known to be exploited?

3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Path Traversal in Twigphp Twig

CVE-2022-39261

Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `sou…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.095 (93.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

Affected products

Twigphp Twig — versions => 1.0.0, < 1.44.7, >= 2.0.0, < 2.15.3, >= 3.0.0, < 3.4.3

Weakness classification (CWE)

CWE-22 — Path Traversal

Public proof-of-concept exploits

References

github.com/twigphp/Twig/security/advisories/GHSA-52m2-vc4m-jj33
github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0b
www.drupal.org/sa-core-2022-016
DSA-5248 (vendor-advisory)
FEDORA-2022-4490a4772d (vendor-advisory)
FEDORA-2022-d39b2a755b (vendor-advisory)
FEDORA-2022-1695454935 (vendor-advisory)
FEDORA-2022-9d8ee4a6de (vendor-advisory)
[debian-lts-announce] 20221011 [SECURITY] [DLA 3147-1] twig security update (mailing-list)
FEDORA-2022-c6fe3ebd94 (vendor-advisory)

Frequently asked questions

What is CVE-2022-39261?: CVE-2022-39261 is a high-severity vulnerability in Twigphp Twig, classified under Path Traversal. CVSS score: 7.5/10. Published 2022-09-28.
How severe is CVE-2022-39261?: High severity. CVSS v3 base score is 7.5 out of 10.
Is CVE-2022-39261 known to be exploited?: 3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.