CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24374 – Twig fixes a security issue where escaping was missing when using null coalesce operator (??)
https://notcve.org/view.php?id=CVE-2025-24374
29 Jan 2025 — Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0. • https://github.com/twigphp/Twig/commit/38576b12f05df3cc871bf68f39ccb46b418334a3 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 6.4EPSS: 0%CPEs: 6EXPL: 0CVE-2023-46734 – Symfony potential Cross-site Scripting vulnerabilities in CodeExtension filters
https://notcve.org/view.php?id=CVE-2023-46734
10 Nov 2023 — Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig filters in CodeExtension use `is_safe=html` but don't actually ensure their input is safe. As of versions 4.4.51, 5.4.31, and 6.3.8, Symfony now escapes the output of the affected filters. Symfony es un framework PHP para aplicaciones web y de consola y un conjunto de componentes PHP reutilizables. A partir d... • https://github.com/symfony/symfony/commit/5d095d5feb1322b16450284a04d6bb48d1198f54 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •