CVE-2018-13818

Name of the Vulnerable Software and Affected Versions Twig versions prior to 2.4.4

Description The issue allows Server-Side Template Injection (SSTI) via the search key parameter. It is noted that Twig itself is not a web application, and the responsibility of properly wrapping input to it lies with web applications using Twig.

Recommendations For versions prior to 2.4.4, update to version 2.4.4 or later to resolve the issue. As a temporary workaround, consider properly wrapping input to Twig to prevent Server-Side Template Injection. Restrict access to the search key parameter in affected applications to minimize the risk of exploitation.