Vulnerability Database
289,697
Total vulnerabilities in the database
CVE-2025-24374
Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0.
| Software | From | Fixed in |
|---|---|---|
twig / twig
|
3.16.0 | 3.19.0 |
- https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2025-24374.yaml
- https://github.com/twigphp/Twig/commit/38576b12f05df3cc871bf68f39ccb46b418334a3
- https://github.com/twigphp/Twig/security/advisories/GHSA-3xg3-cgvq-2xwr
- https://symfony.com/blog/twig-cve-2025-24374-missing-output-escaping-for-the-null-coalesce-operator