Twig is a template language for PHP. In a sandbox, an attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property policy and the `__isset()` method is now called after the security check. This is a BC break. This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| twig/twig(Packagist) | 0 | 3.11.2 | N/A |
| twig/twig(Packagist) | 3.12 | 3.14.1 | N/A |
CVSS Metrics
