{"id":"CVE-2022-39261","summary":"Twig may load a template outside a configured directory when using the filesystem loader","details":"Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.","aliases":["BIT-drupal-2022-39261","DRUPAL-CORE-2022-016","GHSA-52m2-vc4m-jj33"],"modified":"2026-02-24T01:23:38.823763Z","published":"2022-09-28T00:00:00Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/39xxx/CVE-2022-39261.json","cwe_ids":["CWE-22"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/39xxx/CVE-2022-39261.json"},{"type":"FIX","url":"https://github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0b"},{"type":"ADVISORY","url":"https://github.com/twigphp/Twig/security/advisories/GHSA-52m2-vc4m-jj33"},{"type":"ARTICLE","url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00016.html"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2OKRUHPVLIQVFPPJ2UWC3WV3WQO763NR/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUVTXMNPSZAHS3DWZEM56V5W4NPVR6L7/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NWRFPZSR74SYVJKBTKTMYUK36IJ3SQJP/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TW53TFJ6WWNXMUHOFACKATJTS7NIHVQE/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WV5TNNJLGG536TJH6DLCIAAZZIPV2GUD/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YU4ZYX62H2NUAKKGUES4RZIM4KMTKZ7F/"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-39261"},{"type":"ADVISORY","url":"https://www.debian.org/security/2022/dsa-5248"},{"type":"WEB","url":"https://www.drupal.org/sa-core-2022-016"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/drupal/drupal","events":[{"introduced":"35c2f3ca5c935f3d8bde15932a712677c9bbd50f"},{"fixed":"e637df2c3679a3eb768675681220e74a5ee51a18"},{"introduced":"970c1b5cfa946f683de326a3f252b5371a42186a"},{"fixed":"89d5167a40092f646c810b52ad7bde1f091ee73f"}]}],"versions":["8.0.0","8.1.0-beta1","9.0.0-alpha1","9.0.0-alpha2","9.3.0","9.3.0-alpha1","9.3.0-beta1","9.3.0-beta2","9.3.0-beta3","9.3.0-rc1","9.3.10","9.3.11","9.3.12","9.3.13","9.3.14","9.3.15","9.3.16","9.3.17","9.3.18","9.3.19","9.3.2","9.3.20","9.3.21","9.3.3","9.3.4","9.3.5","9.3.6","9.3.7","9.3.8","9.3.9","9.4.0","9.4.0-alpha1","9.4.0-beta1","9.4.0-rc1","9.4.0-rc2","9.4.1","9.4.2","9.4.3","9.4.4","9.4.5","9.4.6"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-39261.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/twigphp/twig","events":[{"introduced":"2a86dde1288d7270169083d0e078dc7ebe0f48b6"},{"fixed":"ab402673db8746cb3a4c46f3869d6253699f614a"},{"introduced":"2f106a80cc13b4260074e573fa017a770fe20350"},{"fixed":"0887422319889e442458e48e2f3d9add1a172ad5"},{"introduced":"9b58bb8ac7a41d72fbb5a7dc643e07923e5ccc26"},{"fixed":"c38fd6b0b7f370c198db91ffd02e23b517426b58"}]}],"versions":["v1.0.0","v1.1.0","v1.1.0-RC1","v1.1.0-RC2","v1.1.0-RC3","v1.1.1","v1.1.2","v1.10.0","v1.10.1","v1.10.2","v1.10.3","v1.11.0","v1.11.1","v1.12.0","v1.12.0-RC1","v1.12.1","v1.12.2","v1.12.3","v1.13.0","v1.13.1","v1.13.2","v1.14.0","v1.14.1","v1.14.2","v1.15.0","v1.15.1","v1.16.0","v1.16.1","v1.16.2","v1.16.3","v1.17.0","v1.18.0","v1.18.1","v1.18.2","v1.19.0","v1.2.0","v1.2.0-RC1","v1.20.0","v1.21.0","v1.21.1","v1.21.2","v1.22.0","v1.22.1","v1.22.2","v1.22.3","v1.23.0","v1.23.1","v1.23.2","v1.23.3","v1.24.0","v1.24.1","v1.24.2","v1.25.0","v1.26.0","v1.26.1","v1.27.0","v1.28.0","v1.28.1","v1.28.2","v1.29.0","v1.3.0","v1.3.0-RC1","v1.30.0","v1.31.0","v1.32.0","v1.33.0","v1.33.1","v1.33.2","v1.34.0","v1.34.1","v1.34.2","v1.34.3","v1.34.4","v1.35.0","v1.35.1","v1.35.2","v1.35.3","v1.35.4","v1.36.0","v1.37.0","v1.37.1","v1.38.0","v1.38.1","v1.38.2","v1.38.3","v1.38.4","v1.39.0","v1.39.1","v1.4.0","v1.4.0-RC1","v1.4.0-RC2","v1.40.0","v1.40.1","v1.41.0","v1.42.0","v1.42.1","v1.42.2","v1.42.3","v1.42.4","v1.42.5","v1.43.0","v1.43.1","v1.44.0","v1.44.1","v1.44.2","v1.44.3","v1.44.4","v1.44.5","v1.44.6","v1.5.0","v1.5.0-RC1","v1.5.0-RC2","v1.5.1","v1.6.0","v1.6.1","v1.6.2","v1.6.3","v1.6.4","v1.7.0","v1.8.0","v1.8.1","v1.8.2","v1.8.3","v1.9.0","v1.9.1","v1.9.2","v2.0.0","v2.1.0","v2.10.0","v2.11.0","v2.11.1","v2.11.2","v2.11.3","v2.12.0","v2.12.1","v2.12.2","v2.12.3","v2.12.4","v2.12.5","v2.13.0","v2.13.1","v2.14.0","v2.14.1","v2.14.10","v2.14.11","v2.14.12","v2.14.13","v2.14.2","v2.14.3","v2.14.4","v2.14.5","v2.14.6","v2.14.7","v2.14.8","v2.14.9","v2.15.0","v2.15.1","v2.15.2","v2.2.0","v2.3.0","v2.3.1","v2.3.2","v2.4.0","v2.4.1","v2.4.2","v2.4.3","v2.4.4","v2.4.5","v2.4.6","v2.4.7","v2.4.8","v2.5.0","v2.6.0","v2.6.1","v2.6.2","v2.7.0","v2.7.1","v2.7.2","v2.7.3","v2.7.4","v2.8.0","v2.8.1","v2.9.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-39261.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}