Vulnerability Database

296,746

Total vulnerabilities in the database

CVE-2025-24374

Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0.

Published: Jan 29, 2025
Updated: Aug 11, 2025
CVE: CVE-2025-24374
GHSA: GHSA-3xg3-cgvq-2xwr
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWEs:

CWE-74

Affected Software
References

Software	From	Fixed in
twig / twig	3.16.0	3.19.0

https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2025-24374.yaml
https://github.com/twigphp/Twig/commit/38576b12f05df3cc871bf68f39ccb46b418334a3
https://github.com/twigphp/Twig/security/advisories/GHSA-3xg3-cgvq-2xwr
https://symfony.com/blog/twig-cve-2025-24374-missing-output-escaping-for-the-null-coalesce-operator

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo