Name of the Vulnerable Software and Affected Versions: Twig (affected versions not specified)

Description: The issue allows for path traversal when Twig is used with Twig Loader Filesystem for loading templates and the application uses non-trusted template names. This enables an attacker to access files in a parent directory of the configured path by prepending /../ to the path in an include statement, such as {% include "/../somefile in path to" %}. Other variations like ../somefile, /../../somefile, or ../../somefile will not work and will result in an exception.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.