This week, updates for Drupal were revealed to resolve a serious Twig vulnerability that might cause the disclosure of private data. Since Drupal 8’s initial release in November 2015, the PHP-based open source web content management system has used Twig as its default template engine.
The vulnerability, identified as CVE-2022-39261, could allow an attacker to use the filesystem loader to load templates outside of a defined directory. Read More…