This week’s Drupal updates address a critical vulnerability in Twig that could lead to the disclosure of sensitive information. Since Drupal 8’s release in November 2015, Twig has been Drupal’s default templating engine. Drupal is a PHP-based open-source web content management system that uses Twig as its default templating engine.
The vulnerability, identified as CVE-2022-39261, could allow an attacker to load templates outside of a configured directory via the file system loader. The vulnerability has been assigned a “high” severity rating, or “critical,” according to Drupal’s scoring system.
Twig has fixed the vulnerability in versions 1.44.7, 2.15.3, and 3.4.3. The security flaw is mitigated by the fact that an attacker needs administrative permission with restricted access to exploit it.