Intel

AIKIDO-2026-490805

cakephp/twig-view is vulnerable to Deserialization of Untrusted Data

Deserialization of Untrusted DataCVE-2026-59192 Published 3 days ago

69

Medium Risk

This Affects:

PHPcakephp/twig-view
1.0.0 - 1.3.2
Fixed in 1.3.3
2.0.0 - 2.1.1
Fixed in 2.1.2
Are you affected? Scan for Free

TL;DR

The unserialize Twig filter in the twig-view plugin deserializes input without restricting which PHP classes may be instantiated. When a template applies this filter to attacker-controlled data, the deserialization can be abused as a remote-code-execution gadget through crafted serialized objects. This lets an attacker trigger unintended object instantiation and magic methods while a view is rendered. The fix disables object instantiation by passing ['allowed_classes' => false] to unserialize and deprecates the serialize and unserialize filters.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your templates apply the unserialize filter to untrusted data.

Background info

cakephp/twig-view is vulnerable to Deserialization of Untrusted Data in versions 1.0.0 - 1.3.2 and 2.0.0 - 2.1.1.

How to fix this

Upgrade the cakephp/twig-view library to the patch version.