{"id":"CVE-2022-39261","summary":"Twig may load a template outside a configured directory when using the filesystem loader","details":"Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.","aliases":["BIT-drupal-2022-39261","DRUPAL-CORE-2022-016","GHSA-52m2-vc4m-jj33"],"modified":"2026-04-10T04:51:20.608666Z","published":"2022-09-28T00:00:00Z","database_specific":{"cwe_ids":["CWE-22"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/39xxx/CVE-2022-39261.json"},"references":[{"type":"WEB","url":"https://www.drupal.org/sa-core-2022-016"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/39xxx/CVE-2022-39261.json"},{"type":"ADVISORY","url":"https://github.com/twigphp/Twig/security/advisories/GHSA-52m2-vc4m-jj33"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2OKRUHPVLIQVFPPJ2UWC3WV3WQO763NR/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUVTXMNPSZAHS3DWZEM56V5W4NPVR6L7/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NWRFPZSR74SYVJKBTKTMYUK36IJ3SQJP/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TW53TFJ6WWNXMUHOFACKATJTS7NIHVQE/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WV5TNNJLGG536TJH6DLCIAAZZIPV2GUD/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YU4ZYX62H2NUAKKGUES4RZIM4KMTKZ7F/"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-39261"},{"type":"ADVISORY","url":"https://www.debian.org/security/2022/dsa-5248"},{"type":"FIX","url":"https://github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0b"},{"type":"ARTICLE","url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00016.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/drupal/drupal","events":[{"introduced":"35c2f3ca5c935f3d8bde15932a712677c9bbd50f"},{"fixed":"e637df2c3679a3eb768675681220e74a5ee51a18"},{"introduced":"970c1b5cfa946f683de326a3f252b5371a42186a"},{"fixed":"89d5167a40092f646c810b52ad7bde1f091ee73f"},{"introduced":"0"},{"last_affected":"2700c5afb6c3936041db413872eea82dc0bd4fe4"},{"introduced":"0"},{"last_affected":"140f94ff1051644c4416c7ed30cc5dd1f14507b2"}],"database_specific":{"versions":[{"introduced":"8.0.0"},{"fixed":"9.3.22"},{"introduced":"9.4.0"},{"fixed":"9.4.7"},{"introduced":"0"},{"last_affected":"10.0"},{"introduced":"0"},{"last_affected":"11.0"}]}}],"versions":["10.0.0","10.0.0-alpha1","10.0.0-alpha3","10.0.0-alpha4","10.0.0-alpha5","10.0.0-alpha6","10.0.0-alpha7","10.0.0-beta1","10.0.0-beta2","10.0.0-rc1","10.0.0-rc2","10.0.0-rc3","10.1.0-alpha1","11.0.0","11.0.0-alpha1","11.0.0-beta1","8.0.0","8.1.0-beta1","9.0.0-alpha1","9.0.0-alpha2","9.3.0","9.3.0-alpha1","9.3.0-beta1","9.3.0-beta2","9.3.0-beta3","9.3.0-rc1","9.3.10","9.3.11","9.3.13","9.3.15","9.3.17","9.3.18","9.3.2","9.3.20","9.3.21","9.3.4","9.3.7","9.4.0","9.4.1","9.4.2","9.4.4","9.4.5","9.4.6"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-39261.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/twigphp/twig","events":[{"introduced":"2a86dde1288d7270169083d0e078dc7ebe0f48b6"},{"fixed":"ab402673db8746cb3a4c46f3869d6253699f614a"}],"database_specific":{"versions":[{"introduced":"2.0.0"},{"fixed":"2.15.3"}]}},{"type":"GIT","repo":"https://github.com/twigphp/twig","events":[{"introduced":"9b58bb8ac7a41d72fbb5a7dc643e07923e5ccc26"},{"fixed":"c38fd6b0b7f370c198db91ffd02e23b517426b58"}],"database_specific":{"versions":[{"introduced":"3.0.0"},{"fixed":"3.4.3"}]}}],"versions":["v2.0.0","v2.1.0","v2.10.0","v2.11.0","v2.11.1","v2.11.2","v2.11.3","v2.12.0","v2.12.1","v2.12.2","v2.12.3","v2.12.4","v2.12.5","v2.13.0","v2.13.1","v2.14.0","v2.14.1","v2.14.10","v2.14.11","v2.14.12","v2.14.13","v2.14.2","v2.14.3","v2.14.4","v2.14.5","v2.14.6","v2.14.7","v2.14.8","v2.14.9","v2.15.0","v2.15.1","v2.15.2","v2.2.0","v2.3.0","v2.3.1","v2.3.2","v2.4.0","v2.4.1","v2.4.2","v2.4.3","v2.4.4","v2.4.5","v2.4.6","v2.4.7","v2.4.8","v2.5.0","v2.6.0","v2.6.1","v2.6.2","v2.7.0","v2.7.1","v2.7.2","v2.7.3","v2.7.4","v2.8.0","v2.8.1","v2.9.0","v3.0.0","v3.0.1","v3.0.2","v3.0.3","v3.0.4","v3.0.5","v3.1.0","v3.1.1","v3.2.1","v3.3.0","v3.3.1","v3.3.10","v3.3.2","v3.3.3","v3.3.4","v3.3.5","v3.3.6","v3.3.7","v3.3.8","v3.3.9","v3.4.0","v3.4.1","v3.4.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-39261.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}