CVE

CVE-2022-39261

Drupal uses the [Twig](https://twig.symfony.com/) third-party library for content templating and sanitization.

CVE

CVE-2022-39261

Drupal uses the [Twig](https://twig.symfony.com/) third-party library for content templating and sanitization.

Drupal uses the Twig third-party library for content templating and sanitization. Twig has released a security update that affects Drupal. Twig has rated the vulnerability as high severity.

Drupal core's code extending Twig has also been updated to mitigate a related vulnerability.

Multiple vulnerabilities are possible if an untrusted user has access to write Twig code, including potential unauthorized read access to private files, the contents of other files on the server, or database credentials.

The vulnerability is mitigated by the fact that an exploit is only possible in Drupal core with a restricted access administrative permission. Additional exploit paths for the same vulnerability may exist with contributed or custom code that allows users to write Twig templates.

Package Versions Affected

No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

7.5

3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Related Resources

No items found.

References

https://www.drupal.org/sa-core-2022-016

Severity

7.5

CVSS Score

Basic Information

Ecosystem

Base CVSS

7.5

EPSS Probability

0.01568%

EPSS Percentile

0.81085%

Introduced Version

8.0.0,9.4.0

Fix Available

9.3.22,9.4.7

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

CVE-2022-39261

CVE-2022-39261

Package Versions Affected

Automatically patch vulnerabilities without upgrading

CVSS Version

Related Resources

References

Severity

7.5

Basic Information

Fix Critical Vulnerabilities Instantly