Drupal patches Critical Twig third-party library vulnerability (CVE-2022-39261)

Drupal has patched a Critical vulnerability that affect multiple versions of Drupal Core.

A remote attacker could exploit this vulnerability to compromise an affected system.

The Drupal vulnerability (CVE-2022-39261) in the Twig third-party library used for content templating and sanitization.

“Multiple vulnerabilities are possible if an untrusted user has access to write Twig code, including potential unauthorized read access to private files, the contents of other files on the server, or database credentials,” Drupal noted in the advisory.

The vulnerability is fixed in Drupal 9.4.7 (if using 9.4) and Drupal 9.3.22 (if using 9.3).

All versions of Drupal 9 prior to 9.3.x are end-of-life.

Related Articles