A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed by the security policy in place.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| twig/twig(Packagist) | 0 | 1.38.0 | N/A |
| twig/twig(Packagist) | 2.0.0 | 2.7.0 | N/A |
CVSS Metrics
