{"id":"CVE-2021-43836","details":"Sulu is an open-source PHP content management system based on the Symfony framework. In affected versions an attacker can read arbitrary local files via a PHP file include. In a default configuration this also leads to remote code execution. The problem is patched with the Versions 1.6.44, 2.2.18, 2.3.8, 2.4.0. For users unable to upgrade overwrite the service `sulu_route.generator.expression_token_provider` and wrap the translator before passing it to the expression language.","aliases":["GHSA-vx6j-pjrh-vgjh"],"modified":"2026-02-24T11:41:44.404469Z","published":"2021-12-15T20:15:08.733Z","related":["GHSA-vx6j-pjrh-vgjh"],"references":[{"type":"ADVISORY","url":"https://github.com/sulu/sulu/commit/9c948f9ce350c68b53af8c3910e2cefc7f722b54"},{"type":"ADVISORY","url":"https://github.com/sulu/sulu/security/advisories/GHSA-vx6j-pjrh-vgjh"},{"type":"FIX","url":"https://github.com/sulu/sulu/commit/9c948f9ce350c68b53af8c3910e2cefc7f722b54"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/sulu/sulu","events":[{"introduced":"0"},{"fixed":"68396b4aeadcdbf98e2c4cffcdfadee1e49948d5"},{"introduced":"5e0db29766f99ae62528123a5ca78200bbc21be0"},{"fixed":"f10bc6afb126e8215f27c410320cad374301c3fb"},{"introduced":"87fdd3500d5999548acc07ca4b4df9842a9956f4"},{"fixed":"30bf8b5a4f83b6f2171a696011757d095edaa28a"}]}],"versions":["1.6.41","1.6.42","1.6.43","2.3.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-43836.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}