Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
48 vulnerabilities found for Twig by twigphp
CVE-2026-49981 (GCVE-0-2026-49981)
Vulnerability from nvd – Published: 2026-07-14 21:26 – Updated: 2026-07-14 21:26
VLAI
EPSS
VEX
Title
Twig: Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders for a cached `Template`
Summary
Twig is a template language for PHP. Prior to 3.27.0, the per-template filter, tag, and function allow-list verdict is computed when a Template instance is constructed and can remain cached after sandbox state changes between renders, allowing a later sandboxed render to reuse a template that was originally checked with a different or empty policy. This issue is fixed in version 3.27.0.
Severity
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/twigphp/Twig/security/advisori… | x_refsource_CONFIRM |
| https://github.com/twigphp/Twig/commit/23eb6eb126… | x_refsource_MISC |
| https://github.com/twigphp/Twig/releases/tag/v3.27.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "Twig",
"vendor": "twigphp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.27.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Twig is a template language for PHP. Prior to 3.27.0, the per-template filter, tag, and function allow-list verdict is computed when a Template instance is constructed and can remain cached after sandbox state changes between renders, allowing a later sandboxed render to reuse a template that was originally checked with a different or empty policy. This issue is fixed in version 3.27.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:26:00.460Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/twigphp/Twig/security/advisories/GHSA-529h-vh3j-85hq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-529h-vh3j-85hq"
},
{
"name": "https://github.com/twigphp/Twig/commit/23eb6eb1267cb0d303b91eb5cff9b0c559c538a4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/commit/23eb6eb1267cb0d303b91eb5cff9b0c559c538a4"
},
{
"name": "https://github.com/twigphp/Twig/releases/tag/v3.27.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/releases/tag/v3.27.0"
}
],
"source": {
"advisory": "GHSA-529h-vh3j-85hq",
"discovery": "UNKNOWN"
},
"title": "Twig: Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders for a cached `Template`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-49981",
"datePublished": "2026-07-14T21:26:00.460Z",
"dateReserved": "2026-06-02T18:30:51.282Z",
"dateUpdated": "2026-07-14T21:26:00.460Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48808 (GCVE-0-2026-48808)
Vulnerability from nvd – Published: 2026-07-14 21:27 – Updated: 2026-07-14 21:27
VLAI
EPSS
VEX
Title
Twig: Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface`
Summary
Twig is a template language for PHP. Prior to 3.27.0, the column filter passes the active sandbox state as a boolean but does not forward the current Source to SandboxExtension::checkPropertyAllowed(), so SourcePolicyInterface decisions are lost and a template author can read public or magic properties not allowed by the sandbox policy. This issue is fixed in version 3.27.0.
Severity
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/twigphp/Twig/security/advisori… | x_refsource_CONFIRM |
| https://github.com/twigphp/Twig/commit/09c6706407… | x_refsource_MISC |
| https://github.com/twigphp/Twig/releases/tag/v3.27.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "Twig",
"vendor": "twigphp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.27.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Twig is a template language for PHP. Prior to 3.27.0, the column filter passes the active sandbox state as a boolean but does not forward the current Source to SandboxExtension::checkPropertyAllowed(), so SourcePolicyInterface decisions are lost and a template author can read public or magic properties not allowed by the sandbox policy. This issue is fixed in version 3.27.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:27:21.812Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/twigphp/Twig/security/advisories/GHSA-h8vq-8gpg-mhcg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-h8vq-8gpg-mhcg"
},
{
"name": "https://github.com/twigphp/Twig/commit/09c6706407ed7b1cb2d7d1408004f811e47e0424",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/commit/09c6706407ed7b1cb2d7d1408004f811e47e0424"
},
{
"name": "https://github.com/twigphp/Twig/releases/tag/v3.27.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/releases/tag/v3.27.0"
}
],
"source": {
"advisory": "GHSA-h8vq-8gpg-mhcg",
"discovery": "UNKNOWN"
},
"title": "Twig: Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48808",
"datePublished": "2026-07-14T21:27:21.812Z",
"dateReserved": "2026-05-22T20:57:10.976Z",
"dateUpdated": "2026-07-14T21:27:21.812Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48807 (GCVE-0-2026-48807)
Vulnerability from nvd – Published: 2026-07-14 21:29 – Updated: 2026-07-14 21:29
VLAI
EPSS
VEX
Title
Twig: Sandbox `__toString()` policy bypass via `Traversable` in `join` and `replace` filters
Summary
Twig is a template language for PHP. Prior to 3.27.0, the sandbox __toString() checks do not fully cover Traversable values passed to join and replace filters or operands evaluated by the in and not in operators, allowing contained Stringable objects to be coerced to strings without consulting the sandbox policy. This issue is fixed in version 3.27.0.
Severity
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/twigphp/Twig/security/advisori… | x_refsource_CONFIRM |
| https://github.com/twigphp/Twig/releases/tag/v3.27.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "Twig",
"vendor": "twigphp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.27.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Twig is a template language for PHP. Prior to 3.27.0, the sandbox __toString() checks do not fully cover Traversable values passed to join and replace filters or operands evaluated by the in and not in operators, allowing contained Stringable objects to be coerced to strings without consulting the sandbox policy. This issue is fixed in version 3.27.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:29:15.934Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/twigphp/Twig/security/advisories/GHSA-8x9c-rmqh-456c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-8x9c-rmqh-456c"
},
{
"name": "https://github.com/twigphp/Twig/releases/tag/v3.27.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/releases/tag/v3.27.0"
}
],
"source": {
"advisory": "GHSA-8x9c-rmqh-456c",
"discovery": "UNKNOWN"
},
"title": "Twig: Sandbox `__toString()` policy bypass via `Traversable` in `join` and `replace` filters"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48807",
"datePublished": "2026-07-14T21:29:15.934Z",
"dateReserved": "2026-05-22T20:57:10.975Z",
"dateUpdated": "2026-07-14T21:29:15.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48806 (GCVE-0-2026-48806)
Vulnerability from nvd – Published: 2026-07-14 21:28 – Updated: 2026-07-14 21:28
VLAI
EPSS
VEX
Title
Twig: Sandbox `__toString()` policy bypass via dynamic mapping keys
Summary
Twig is a template language for PHP. Prior to 3.27.0, ArrayExpression does not guard dynamic mapping keys that are coerced to strings, allowing PHP to invoke __toString() on a Stringable object used as a mapping key without calling SandboxExtension::ensureToStringAllowed(). This issue is fixed in version 3.27.0.
Severity
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/twigphp/Twig/security/advisori… | x_refsource_CONFIRM |
| https://github.com/twigphp/Twig/commit/9ff4101463… | x_refsource_MISC |
| https://github.com/twigphp/Twig/releases/tag/v3.27.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "Twig",
"vendor": "twigphp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.27.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Twig is a template language for PHP. Prior to 3.27.0, ArrayExpression does not guard dynamic mapping keys that are coerced to strings, allowing PHP to invoke __toString() on a Stringable object used as a mapping key without calling SandboxExtension::ensureToStringAllowed(). This issue is fixed in version 3.27.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:28:08.781Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/twigphp/Twig/security/advisories/GHSA-5v5v-ww74-355v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-5v5v-ww74-355v"
},
{
"name": "https://github.com/twigphp/Twig/commit/9ff41014639ef0e8eb50ac7669191c309d863105",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/commit/9ff41014639ef0e8eb50ac7669191c309d863105"
},
{
"name": "https://github.com/twigphp/Twig/releases/tag/v3.27.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/releases/tag/v3.27.0"
}
],
"source": {
"advisory": "GHSA-5v5v-ww74-355v",
"discovery": "UNKNOWN"
},
"title": "Twig: Sandbox `__toString()` policy bypass via dynamic mapping keys"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48806",
"datePublished": "2026-07-14T21:28:08.781Z",
"dateReserved": "2026-05-22T20:57:10.975Z",
"dateUpdated": "2026-07-14T21:28:08.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48805 (GCVE-0-2026-48805)
Vulnerability from nvd – Published: 2026-07-14 21:26 – Updated: 2026-07-14 21:26
VLAI
EPSS
VEX
Title
Twig: Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php`
Summary
Twig is a template language for PHP. Prior to 3.27.0, deprecated internal wrappers in src/Resources/core.php do not forward the current sandbox state to CoreExtension::checkArrow(), arraySome(), and arrayEvery(), allowing legacy calls such as twig_array_some(), twig_array_every(), and twig_check_arrow_in_sandbox() to bypass sandbox callable restrictions. This issue is fixed in version 3.27.0.
Severity
CWE
- CWE-693 - Protection Mechanism Failure
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/twigphp/Twig/security/advisori… | x_refsource_CONFIRM |
| https://github.com/twigphp/Twig/commit/e235cae3a1… | x_refsource_MISC |
| https://github.com/twigphp/Twig/releases/tag/v3.27.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "Twig",
"vendor": "twigphp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.27.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Twig is a template language for PHP. Prior to 3.27.0, deprecated internal wrappers in src/Resources/core.php do not forward the current sandbox state to CoreExtension::checkArrow(), arraySome(), and arrayEvery(), allowing legacy calls such as twig_array_some(), twig_array_every(), and twig_check_arrow_in_sandbox() to bypass sandbox callable restrictions. This issue is fixed in version 3.27.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:26:34.876Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/twigphp/Twig/security/advisories/GHSA-p42q-9prx-q5wq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-p42q-9prx-q5wq"
},
{
"name": "https://github.com/twigphp/Twig/commit/e235cae3a1d1e23edc24df4d675f18108c6b167b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/commit/e235cae3a1d1e23edc24df4d675f18108c6b167b"
},
{
"name": "https://github.com/twigphp/Twig/releases/tag/v3.27.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/releases/tag/v3.27.0"
}
],
"source": {
"advisory": "GHSA-p42q-9prx-q5wq",
"discovery": "UNKNOWN"
},
"title": "Twig: Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48805",
"datePublished": "2026-07-14T21:26:34.876Z",
"dateReserved": "2026-05-22T20:57:10.975Z",
"dateUpdated": "2026-07-14T21:26:34.876Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47732 (GCVE-0-2026-47732)
Vulnerability from nvd – Published: 2026-07-14 21:12 – Updated: 2026-07-14 21:12
VLAI
EPSS
VEX
Title
Twig Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points
Summary
Twig is a template language for PHP. Prior to 3.26.0, several Twig language constructs trigger PHP string coercion on a Stringable operand without consulting SecurityPolicy::checkMethodAllowed(), allowing a sandboxed template author to invoke __toString() on objects reachable in the render context through conditional expressions, comparison operators, tests, template-loading tags, dynamic attribute names, spread arguments, the do tag, and the .. range operator. This issue is fixed in version 3.26.0.
Severity
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/twigphp/Twig/security/advisori… | x_refsource_CONFIRM |
| https://github.com/twigphp/Twig/commit/447d0b2331… | x_refsource_MISC |
| https://github.com/twigphp/Twig/releases/tag/v3.26.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "Twig",
"vendor": "twigphp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.26.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Twig is a template language for PHP. Prior to 3.26.0, several Twig language constructs trigger PHP string coercion on a Stringable operand without consulting SecurityPolicy::checkMethodAllowed(), allowing a sandboxed template author to invoke __toString() on objects reachable in the render context through conditional expressions, comparison operators, tests, template-loading tags, dynamic attribute names, spread arguments, the do tag, and the .. range operator. This issue is fixed in version 3.26.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:12:13.071Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/twigphp/Twig/security/advisories/GHSA-pr2w-4gpj-cpq4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-pr2w-4gpj-cpq4"
},
{
"name": "https://github.com/twigphp/Twig/commit/447d0b2331e01b8fc6e08119ac984e1ef50caef9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/commit/447d0b2331e01b8fc6e08119ac984e1ef50caef9"
},
{
"name": "https://github.com/twigphp/Twig/releases/tag/v3.26.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/releases/tag/v3.26.0"
}
],
"source": {
"advisory": "GHSA-pr2w-4gpj-cpq4",
"discovery": "UNKNOWN"
},
"title": "Twig Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-47732",
"datePublished": "2026-07-14T21:12:13.071Z",
"dateReserved": "2026-05-19T22:16:39.503Z",
"dateUpdated": "2026-07-14T21:12:13.071Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47730 (GCVE-0-2026-47730)
Vulnerability from nvd – Published: 2026-07-14 21:21 – Updated: 2026-07-14 21:21
VLAI
EPSS
VEX
Title
Twig: XSS in profiler HtmlDumper via unescaped template and profile names
Summary
Twig is a template language for PHP. From 3.0.0 until 3.26.0, Twig\Profiler\Dumper\HtmlDumper writes Profile::getTemplate() and Profile::getName() into HTML output without escaping, allowing attacker-controlled template or profile names to inject arbitrary HTML when a browser renders the profiler dump. This issue is fixed in version 3.26.0.
Severity
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/twigphp/Twig/security/advisori… | x_refsource_CONFIRM |
| https://github.com/twigphp/Twig/commit/a5f6e8793e… | x_refsource_MISC |
| https://github.com/twigphp/Twig/releases/tag/v3.26.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "Twig",
"vendor": "twigphp",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.26.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Twig is a template language for PHP. From 3.0.0 until 3.26.0, Twig\\Profiler\\Dumper\\HtmlDumper writes Profile::getTemplate() and Profile::getName() into HTML output without escaping, allowing attacker-controlled template or profile names to inject arbitrary HTML when a browser renders the profiler dump. This issue is fixed in version 3.26.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:21:10.185Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/twigphp/Twig/security/advisories/GHSA-2g2g-8p8h-fgwm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-2g2g-8p8h-fgwm"
},
{
"name": "https://github.com/twigphp/Twig/commit/a5f6e8793e603ef34fa86aed2a72f9fbe0b43745",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/commit/a5f6e8793e603ef34fa86aed2a72f9fbe0b43745"
},
{
"name": "https://github.com/twigphp/Twig/releases/tag/v3.26.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/releases/tag/v3.26.0"
}
],
"source": {
"advisory": "GHSA-2g2g-8p8h-fgwm",
"discovery": "UNKNOWN"
},
"title": "Twig: XSS in profiler HtmlDumper via unescaped template and profile names"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-47730",
"datePublished": "2026-07-14T21:21:10.185Z",
"dateReserved": "2026-05-19T21:29:25.483Z",
"dateUpdated": "2026-07-14T21:21:10.185Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46640 (GCVE-0-2026-46640)
Vulnerability from nvd – Published: 2026-07-14 21:22 – Updated: 2026-07-14 21:22
VLAI
EPSS
VEX
Title
Twig: Arbitrary PHP code execution via `_self.(<string>)` macro-reference compilation
Summary
Twig is a template language for PHP. From 3.15.0 until 3.26.0, _self.(<string>) and import-alias dynamic attribute syntax can concatenate an attacker-controlled string into a MacroReferenceExpression name without identifier validation, causing raw PHP to be emitted into the generated template source and executed at template-load time. This issue is fixed in version 3.26.0.
Severity
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/twigphp/Twig/security/advisori… | x_refsource_CONFIRM |
| https://github.com/twigphp/Twig/commit/324fa60545… | x_refsource_MISC |
| https://github.com/twigphp/Twig/releases/tag/v3.26.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "Twig",
"vendor": "twigphp",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.15.0, \u003c 3.26.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Twig is a template language for PHP. From 3.15.0 until 3.26.0, _self.(\u003cstring\u003e) and import-alias dynamic attribute syntax can concatenate an attacker-controlled string into a MacroReferenceExpression name without identifier validation, causing raw PHP to be emitted into the generated template source and executed at template-load time. This issue is fixed in version 3.26.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:22:57.332Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/twigphp/Twig/security/advisories/GHSA-45vw-wh46-2vx8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-45vw-wh46-2vx8"
},
{
"name": "https://github.com/twigphp/Twig/commit/324fa60545694fa6abe85ded9befcb82e1066bc2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/commit/324fa60545694fa6abe85ded9befcb82e1066bc2"
},
{
"name": "https://github.com/twigphp/Twig/releases/tag/v3.26.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/releases/tag/v3.26.0"
}
],
"source": {
"advisory": "GHSA-45vw-wh46-2vx8",
"discovery": "UNKNOWN"
},
"title": "Twig: Arbitrary PHP code execution via `_self.(\u003cstring\u003e)` macro-reference compilation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46640",
"datePublished": "2026-07-14T21:22:57.332Z",
"dateReserved": "2026-05-15T20:11:54.584Z",
"dateUpdated": "2026-07-14T21:22:57.332Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46639 (GCVE-0-2026-46639)
Vulnerability from nvd – Published: 2026-07-14 21:13 – Updated: 2026-07-14 21:13
VLAI
EPSS
VEX
Title
Twig: Sandbox property and method bypass via object-destructuring assignment
Summary
Twig is a template language for PHP. From 3.24.0 until 3.26.0, object-destructuring assignment compiles CoreExtension::getAttribute() with the sandbox argument hardcoded to false, disabling property and method policy checks and allowing an attacker with write access to a sandboxed Twig template to read public properties or invoke public getters on objects passed to the template engine. This issue is fixed in version 3.26.0.
Severity
CWE
- CWE-693 - Protection Mechanism Failure
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/twigphp/Twig/security/advisori… | x_refsource_CONFIRM |
| https://github.com/twigphp/Twig/releases/tag/v3.26.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "Twig",
"vendor": "twigphp",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.24.0, \u003c 3.26.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Twig is a template language for PHP. From 3.24.0 until 3.26.0, object-destructuring assignment compiles CoreExtension::getAttribute() with the sandbox argument hardcoded to false, disabling property and method policy checks and allowing an attacker with write access to a sandboxed Twig template to read public properties or invoke public getters on objects passed to the template engine. This issue is fixed in version 3.26.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:13:42.321Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/twigphp/Twig/security/advisories/GHSA-mm6w-gr99-p3jj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-mm6w-gr99-p3jj"
},
{
"name": "https://github.com/twigphp/Twig/releases/tag/v3.26.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/releases/tag/v3.26.0"
}
],
"source": {
"advisory": "GHSA-mm6w-gr99-p3jj",
"discovery": "UNKNOWN"
},
"title": "Twig: Sandbox property and method bypass via object-destructuring assignment"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46639",
"datePublished": "2026-07-14T21:13:42.321Z",
"dateReserved": "2026-05-15T20:11:54.584Z",
"dateUpdated": "2026-07-14T21:13:42.321Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46638 (GCVE-0-2026-46638)
Vulnerability from nvd – Published: 2026-07-14 21:23 – Updated: 2026-07-14 21:23
VLAI
EPSS
VEX
Title
Twig: `{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomplete fix for CVE-2024-45411)
Summary
Twig is a template language for PHP. Prior to 3.26.0, {% sandbox %}{% include %} can include a template that was previously loaded outside the sandbox without re-invoking checkSecurity(), allowing the cached template to use tags, filters, and functions that should have been denied by SecurityPolicy::checkSecurity(). This issue is fixed in version 3.26.0.
Severity
CWE
- CWE-693 - Protection Mechanism Failure
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/twigphp/Twig/security/advisori… | x_refsource_CONFIRM |
| https://github.com/twigphp/Twig/commit/819c6a89fe… | x_refsource_MISC |
| https://github.com/twigphp/Twig/releases/tag/v3.26.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "Twig",
"vendor": "twigphp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.26.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Twig is a template language for PHP. Prior to 3.26.0, {% sandbox %}{% include %} can include a template that was previously loaded outside the sandbox without re-invoking checkSecurity(), allowing the cached template to use tags, filters, and functions that should have been denied by SecurityPolicy::checkSecurity(). This issue is fixed in version 3.26.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:23:50.961Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/twigphp/Twig/security/advisories/GHSA-7fxw-r6jv-74c8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-7fxw-r6jv-74c8"
},
{
"name": "https://github.com/twigphp/Twig/commit/819c6a89fe0f261b8555c4f4d5e27d31984223ea",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/commit/819c6a89fe0f261b8555c4f4d5e27d31984223ea"
},
{
"name": "https://github.com/twigphp/Twig/releases/tag/v3.26.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/releases/tag/v3.26.0"
}
],
"source": {
"advisory": "GHSA-7fxw-r6jv-74c8",
"discovery": "UNKNOWN"
},
"title": "Twig: `{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomplete fix for CVE-2024-45411)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46638",
"datePublished": "2026-07-14T21:23:50.961Z",
"dateReserved": "2026-05-15T20:11:54.584Z",
"dateUpdated": "2026-07-14T21:23:50.961Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46637 (GCVE-0-2026-46637)
Vulnerability from nvd – Published: 2026-07-14 21:25 – Updated: 2026-07-14 21:25
VLAI
EPSS
VEX
Title
Twig: HTML-output filters in twig/* extras incorrectly declared `is_safe => ['all']`
Summary
Twig is a template language for PHP. Prior to 3.26.0, several filters in twig/markdown-extra and twig/cssinliner-extra are registered with is_safe => [all], causing Twig to treat plain text or HTML output as safe in HTML, JavaScript, CSS, URL, and other contexts where the output is not properly escaped. This issue is fixed in version 3.26.0.
Severity
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/twigphp/Twig/security/advisori… | x_refsource_CONFIRM |
| https://github.com/twigphp/Twig/commit/84982072c7… | x_refsource_MISC |
| https://github.com/twigphp/Twig/commit/e36489d352… | x_refsource_MISC |
| https://github.com/twigphp/Twig/releases/tag/v3.26.0 | x_refsource_MISC |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| twigphp | Twig |
Affected:
< 3.26.0
|
|
| twig | cssinliner-extra |
Affected:
< 3.26.0
|
|
| twig | markdown-extra |
Affected:
< 3.26.0
|
{
"containers": {
"cna": {
"affected": [
{
"product": "Twig",
"vendor": "twigphp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.26.0"
}
]
},
{
"product": "cssinliner-extra",
"vendor": "twig",
"versions": [
{
"status": "affected",
"version": "\u003c 3.26.0"
}
]
},
{
"product": "markdown-extra",
"vendor": "twig",
"versions": [
{
"status": "affected",
"version": "\u003c 3.26.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Twig is a template language for PHP. Prior to 3.26.0, several filters in twig/markdown-extra and twig/cssinliner-extra are registered with is_safe =\u003e [all], causing Twig to treat plain text or HTML output as safe in HTML, JavaScript, CSS, URL, and other contexts where the output is not properly escaped. This issue is fixed in version 3.26.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:25:20.141Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/twigphp/Twig/security/advisories/GHSA-jv8m-2544-3pg3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-jv8m-2544-3pg3"
},
{
"name": "https://github.com/twigphp/Twig/commit/84982072c79a7417b0d158a401d91344f3658299",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/commit/84982072c79a7417b0d158a401d91344f3658299"
},
{
"name": "https://github.com/twigphp/Twig/commit/e36489d3521ecbfc08bdcc61294302557035f14a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/commit/e36489d3521ecbfc08bdcc61294302557035f14a"
},
{
"name": "https://github.com/twigphp/Twig/releases/tag/v3.26.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/releases/tag/v3.26.0"
}
],
"source": {
"advisory": "GHSA-jv8m-2544-3pg3",
"discovery": "UNKNOWN"
},
"title": "Twig: HTML-output filters in twig/* extras incorrectly declared `is_safe =\u003e [\u0027all\u0027]`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46637",
"datePublished": "2026-07-14T21:25:20.141Z",
"dateReserved": "2026-05-15T20:11:54.584Z",
"dateUpdated": "2026-07-14T21:25:20.141Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46635 (GCVE-0-2026-46635)
Vulnerability from nvd – Published: 2026-07-14 21:12 – Updated: 2026-07-14 21:12
VLAI
EPSS
VEX
Title
Twig: Sandbox property allowlist bypass via the `column` filter (array_column on objects)
Summary
Twig is a template language for PHP. Prior to 3.26.0, the column filter passes object arrays to PHP array_column(), which reads public and magic properties without reaching CoreExtension::getAttribute() or SandboxExtension::checkPropertyAllowed(), allowing an untrusted template author with column in allowedFilters to read properties that are not in the sandbox allowlist. This issue is fixed in version 3.26.0.
Severity
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/twigphp/Twig/security/advisori… | x_refsource_CONFIRM |
| https://github.com/twigphp/Twig/commit/f05c5011c2… | x_refsource_MISC |
| https://github.com/twigphp/Twig/releases/tag/v3.26.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "Twig",
"vendor": "twigphp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.26.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Twig is a template language for PHP. Prior to 3.26.0, the column filter passes object arrays to PHP array_column(), which reads public and magic properties without reaching CoreExtension::getAttribute() or SandboxExtension::checkPropertyAllowed(), allowing an untrusted template author with column in allowedFilters to read properties that are not in the sandbox allowlist. This issue is fixed in version 3.26.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:12:56.046Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/twigphp/Twig/security/advisories/GHSA-vcc8-phrv-43wj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-vcc8-phrv-43wj"
},
{
"name": "https://github.com/twigphp/Twig/commit/f05c5011c25caf17de37614b7e04662022532ac4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/commit/f05c5011c25caf17de37614b7e04662022532ac4"
},
{
"name": "https://github.com/twigphp/Twig/releases/tag/v3.26.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/releases/tag/v3.26.0"
}
],
"source": {
"advisory": "GHSA-vcc8-phrv-43wj",
"discovery": "UNKNOWN"
},
"title": "Twig: Sandbox property allowlist bypass via the `column` filter (array_column on objects)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46635",
"datePublished": "2026-07-14T21:12:56.046Z",
"dateReserved": "2026-05-15T20:11:54.583Z",
"dateUpdated": "2026-07-14T21:12:56.046Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46634 (GCVE-0-2026-46634)
Vulnerability from nvd – Published: 2026-07-14 21:19 – Updated: 2026-07-14 21:19
VLAI
EPSS
VEX
Title
Twig: `template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name
Summary
Twig is a template language for PHP. From 3.9.0 until 3.26.0, template_from_string() compiles an inner template under a synthesized __string_template__<hash> name that can fall outside a SourcePolicyInterface sandbox decision, allowing a sandboxed template that can call template_from_string and include to render an inner template without security policy enforcement. This issue is fixed in version 3.26.0.
Severity
CWE
- CWE-693 - Protection Mechanism Failure
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/twigphp/Twig/security/advisori… | x_refsource_CONFIRM |
| https://github.com/twigphp/Twig/commit/1cde8f2b62… | x_refsource_MISC |
| https://github.com/twigphp/Twig/releases/tag/v3.26.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "Twig",
"vendor": "twigphp",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.9.0, \u003c 3.26.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Twig is a template language for PHP. From 3.9.0 until 3.26.0, template_from_string() compiles an inner template under a synthesized __string_template__\u003chash\u003e name that can fall outside a SourcePolicyInterface sandbox decision, allowing a sandboxed template that can call template_from_string and include to render an inner template without security policy enforcement. This issue is fixed in version 3.26.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:19:17.804Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/twigphp/Twig/security/advisories/GHSA-24x9-r6q4-q93w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-24x9-r6q4-q93w"
},
{
"name": "https://github.com/twigphp/Twig/commit/1cde8f2b62463f85d47995fc25f8241cb409d915",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/commit/1cde8f2b62463f85d47995fc25f8241cb409d915"
},
{
"name": "https://github.com/twigphp/Twig/releases/tag/v3.26.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/releases/tag/v3.26.0"
}
],
"source": {
"advisory": "GHSA-24x9-r6q4-q93w",
"discovery": "UNKNOWN"
},
"title": "Twig: `template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46634",
"datePublished": "2026-07-14T21:19:17.804Z",
"dateReserved": "2026-05-15T20:11:54.583Z",
"dateUpdated": "2026-07-14T21:19:17.804Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46633 (GCVE-0-2026-46633)
Vulnerability from nvd – Published: 2026-07-14 21:14 – Updated: 2026-07-14 21:14
VLAI
EPSS
VEX
Title
Twig: PHP code injection via `{% use %}` template name
Summary
Twig is a template language for PHP. Prior to 3.26.0, Compiler::string() does not escape single quotes when a template name from a {% use %} tag is placed inside a PHP single-quoted string literal, allowing a crafted template name to terminate the string and inject arbitrary PHP expressions into the compiled cache file. This issue is fixed in version 3.26.0.
Severity
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/twigphp/Twig/security/advisori… | x_refsource_CONFIRM |
| https://github.com/twigphp/Twig/commit/679447fa29… | x_refsource_MISC |
| https://github.com/twigphp/Twig/commit/e9ff55f691… | x_refsource_MISC |
| https://github.com/twigphp/Twig/releases/tag/v3.26.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "Twig",
"vendor": "twigphp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.26.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Twig is a template language for PHP. Prior to 3.26.0, Compiler::string() does not escape single quotes when a template name from a {% use %} tag is placed inside a PHP single-quoted string literal, allowing a crafted template name to terminate the string and inject arbitrary PHP expressions into the compiled cache file. This issue is fixed in version 3.26.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:14:24.916Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/twigphp/Twig/security/advisories/GHSA-7p85-w9px-jpjp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-7p85-w9px-jpjp"
},
{
"name": "https://github.com/twigphp/Twig/commit/679447fa29083043665482ccf7d64372472621b8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/commit/679447fa29083043665482ccf7d64372472621b8"
},
{
"name": "https://github.com/twigphp/Twig/commit/e9ff55f6910832428e48a35b2e0748189ad49ae3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/commit/e9ff55f6910832428e48a35b2e0748189ad49ae3"
},
{
"name": "https://github.com/twigphp/Twig/releases/tag/v3.26.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/releases/tag/v3.26.0"
}
],
"source": {
"advisory": "GHSA-7p85-w9px-jpjp",
"discovery": "UNKNOWN"
},
"title": "Twig: PHP code injection via `{% use %}` template name"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46633",
"datePublished": "2026-07-14T21:14:24.916Z",
"dateReserved": "2026-05-15T20:11:54.583Z",
"dateUpdated": "2026-07-14T21:14:24.916Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46629 (GCVE-0-2026-46629)
Vulnerability from nvd – Published: 2026-07-14 21:22 – Updated: 2026-07-14 21:22
VLAI
EPSS
VEX
Title
Twig: Unbounded formatter memoisation in twig/intl-extra keyed on template-controlled arguments
Summary
Twig is a template language for PHP. Prior to 3.26.0, twig/intl-extra memoises IntlDateFormatter and NumberFormatter instances in arrays keyed by template-controlled filter arguments such as locale, pattern, and attrs, allowing a template to allocate many ICU formatter objects that remain pinned for the lifetime of the Twig\Environment. This issue is fixed in version 3.26.0.
Severity
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/twigphp/Twig/security/advisori… | x_refsource_CONFIRM |
| https://github.com/twigphp/Twig/commit/6add9066fc… | x_refsource_MISC |
| https://github.com/twigphp/Twig/releases/tag/v3.26.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "Twig",
"vendor": "twigphp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.26.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Twig is a template language for PHP. Prior to 3.26.0, twig/intl-extra memoises IntlDateFormatter and NumberFormatter instances in arrays keyed by template-controlled filter arguments such as locale, pattern, and attrs, allowing a template to allocate many ICU formatter objects that remain pinned for the lifetime of the Twig\\Environment. This issue is fixed in version 3.26.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:22:15.595Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/twigphp/Twig/security/advisories/GHSA-35wc-cvqg-78fp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-35wc-cvqg-78fp"
},
{
"name": "https://github.com/twigphp/Twig/commit/6add9066fc5c0455eb764c1f3af6e4e4e3562419",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/commit/6add9066fc5c0455eb764c1f3af6e4e4e3562419"
},
{
"name": "https://github.com/twigphp/Twig/releases/tag/v3.26.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/releases/tag/v3.26.0"
}
],
"source": {
"advisory": "GHSA-35wc-cvqg-78fp",
"discovery": "UNKNOWN"
},
"title": "Twig: Unbounded formatter memoisation in twig/intl-extra keyed on template-controlled arguments"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46629",
"datePublished": "2026-07-14T21:22:15.595Z",
"dateReserved": "2026-05-15T19:34:14.013Z",
"dateUpdated": "2026-07-14T21:22:15.595Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46628 (GCVE-0-2026-46628)
Vulnerability from nvd – Published: 2026-07-14 21:19 – Updated: 2026-07-14 21:19
VLAI
EPSS
VEX
Title
Twig: The `spaceless` filter implicitly marks its output as safe
Summary
Twig is a template language for PHP. Prior to 3.26.0, the deprecated spaceless filter is registered as safe for HTML, causing Twig autoescaping to emit attacker-controlled markup unescaped when spaceless is applied to untrusted input. This issue is fixed in version 3.26.0.
Severity
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/twigphp/Twig/security/advisori… | x_refsource_CONFIRM |
| https://github.com/twigphp/Twig/commit/3190b9ae12… | x_refsource_MISC |
| https://github.com/twigphp/Twig/releases/tag/v3.26.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "Twig",
"vendor": "twigphp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.26.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Twig is a template language for PHP. Prior to 3.26.0, the deprecated spaceless filter is registered as safe for HTML, causing Twig autoescaping to emit attacker-controlled markup unescaped when spaceless is applied to untrusted input. This issue is fixed in version 3.26.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:19:54.501Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/twigphp/Twig/security/advisories/GHSA-4j38-f5cw-54h7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-4j38-f5cw-54h7"
},
{
"name": "https://github.com/twigphp/Twig/commit/3190b9ae12614dfd58cc5d8f394bac4708b17913",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/commit/3190b9ae12614dfd58cc5d8f394bac4708b17913"
},
{
"name": "https://github.com/twigphp/Twig/releases/tag/v3.26.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/releases/tag/v3.26.0"
}
],
"source": {
"advisory": "GHSA-4j38-f5cw-54h7",
"discovery": "UNKNOWN"
},
"title": "Twig: The `spaceless` filter implicitly marks its output as safe"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46628",
"datePublished": "2026-07-14T21:19:54.501Z",
"dateReserved": "2026-05-15T19:34:14.013Z",
"dateUpdated": "2026-07-14T21:19:54.501Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46627 (GCVE-0-2026-46627)
Vulnerability from nvd – Published: 2026-07-14 21:15 – Updated: 2026-07-14 21:15
VLAI
EPSS
VEX
Title
Twig: Sandbox resource exhaustion via unbounded `for` / `range()`
Summary
Twig is a template language for PHP. Prior to 3.26.0, the Twig sandbox does not prevent a template from consuming CPU, memory, or wall-clock time, even under the strictest allow-list, allowing untrusted templates to cause resource exhaustion. This issue is addressed in version 3.26.0 by documenting that the sandbox does not protect against resource exhaustion.
Severity
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/twigphp/Twig/security/advisori… | x_refsource_CONFIRM |
| https://github.com/twigphp/Twig/commit/6bfa285e2f… | x_refsource_MISC |
| https://github.com/twigphp/Twig/releases/tag/v3.26.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "Twig",
"vendor": "twigphp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.26.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Twig is a template language for PHP. Prior to 3.26.0, the Twig sandbox does not prevent a template from consuming CPU, memory, or wall-clock time, even under the strictest allow-list, allowing untrusted templates to cause resource exhaustion. This issue is addressed in version 3.26.0 by documenting that the sandbox does not protect against resource exhaustion."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:15:17.366Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/twigphp/Twig/security/advisories/GHSA-923g-j88x-j34q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-923g-j88x-j34q"
},
{
"name": "https://github.com/twigphp/Twig/commit/6bfa285e2f98651adb7aa480bf83a741d154f09f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/commit/6bfa285e2f98651adb7aa480bf83a741d154f09f"
},
{
"name": "https://github.com/twigphp/Twig/releases/tag/v3.26.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/releases/tag/v3.26.0"
}
],
"source": {
"advisory": "GHSA-923g-j88x-j34q",
"discovery": "UNKNOWN"
},
"title": "Twig: Sandbox resource exhaustion via unbounded `for` / `range()`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46627",
"datePublished": "2026-07-14T21:15:17.366Z",
"dateReserved": "2026-05-15T19:34:14.013Z",
"dateUpdated": "2026-07-14T21:15:17.366Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48807 (GCVE-0-2026-48807)
Vulnerability from cvelistv5 – Published: 2026-07-14 21:29 – Updated: 2026-07-14 21:29
VLAI
EPSS
VEX
Title
Twig: Sandbox `__toString()` policy bypass via `Traversable` in `join` and `replace` filters
Summary
Twig is a template language for PHP. Prior to 3.27.0, the sandbox __toString() checks do not fully cover Traversable values passed to join and replace filters or operands evaluated by the in and not in operators, allowing contained Stringable objects to be coerced to strings without consulting the sandbox policy. This issue is fixed in version 3.27.0.
Severity
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/twigphp/Twig/security/advisori… | x_refsource_CONFIRM |
| https://github.com/twigphp/Twig/releases/tag/v3.27.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "Twig",
"vendor": "twigphp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.27.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Twig is a template language for PHP. Prior to 3.27.0, the sandbox __toString() checks do not fully cover Traversable values passed to join and replace filters or operands evaluated by the in and not in operators, allowing contained Stringable objects to be coerced to strings without consulting the sandbox policy. This issue is fixed in version 3.27.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:29:15.934Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/twigphp/Twig/security/advisories/GHSA-8x9c-rmqh-456c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-8x9c-rmqh-456c"
},
{
"name": "https://github.com/twigphp/Twig/releases/tag/v3.27.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/releases/tag/v3.27.0"
}
],
"source": {
"advisory": "GHSA-8x9c-rmqh-456c",
"discovery": "UNKNOWN"
},
"title": "Twig: Sandbox `__toString()` policy bypass via `Traversable` in `join` and `replace` filters"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48807",
"datePublished": "2026-07-14T21:29:15.934Z",
"dateReserved": "2026-05-22T20:57:10.975Z",
"dateUpdated": "2026-07-14T21:29:15.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48806 (GCVE-0-2026-48806)
Vulnerability from cvelistv5 – Published: 2026-07-14 21:28 – Updated: 2026-07-14 21:28
VLAI
EPSS
VEX
Title
Twig: Sandbox `__toString()` policy bypass via dynamic mapping keys
Summary
Twig is a template language for PHP. Prior to 3.27.0, ArrayExpression does not guard dynamic mapping keys that are coerced to strings, allowing PHP to invoke __toString() on a Stringable object used as a mapping key without calling SandboxExtension::ensureToStringAllowed(). This issue is fixed in version 3.27.0.
Severity
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/twigphp/Twig/security/advisori… | x_refsource_CONFIRM |
| https://github.com/twigphp/Twig/commit/9ff4101463… | x_refsource_MISC |
| https://github.com/twigphp/Twig/releases/tag/v3.27.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "Twig",
"vendor": "twigphp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.27.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Twig is a template language for PHP. Prior to 3.27.0, ArrayExpression does not guard dynamic mapping keys that are coerced to strings, allowing PHP to invoke __toString() on a Stringable object used as a mapping key without calling SandboxExtension::ensureToStringAllowed(). This issue is fixed in version 3.27.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:28:08.781Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/twigphp/Twig/security/advisories/GHSA-5v5v-ww74-355v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-5v5v-ww74-355v"
},
{
"name": "https://github.com/twigphp/Twig/commit/9ff41014639ef0e8eb50ac7669191c309d863105",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/commit/9ff41014639ef0e8eb50ac7669191c309d863105"
},
{
"name": "https://github.com/twigphp/Twig/releases/tag/v3.27.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/releases/tag/v3.27.0"
}
],
"source": {
"advisory": "GHSA-5v5v-ww74-355v",
"discovery": "UNKNOWN"
},
"title": "Twig: Sandbox `__toString()` policy bypass via dynamic mapping keys"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48806",
"datePublished": "2026-07-14T21:28:08.781Z",
"dateReserved": "2026-05-22T20:57:10.975Z",
"dateUpdated": "2026-07-14T21:28:08.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48808 (GCVE-0-2026-48808)
Vulnerability from cvelistv5 – Published: 2026-07-14 21:27 – Updated: 2026-07-14 21:27
VLAI
EPSS
VEX
Title
Twig: Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface`
Summary
Twig is a template language for PHP. Prior to 3.27.0, the column filter passes the active sandbox state as a boolean but does not forward the current Source to SandboxExtension::checkPropertyAllowed(), so SourcePolicyInterface decisions are lost and a template author can read public or magic properties not allowed by the sandbox policy. This issue is fixed in version 3.27.0.
Severity
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/twigphp/Twig/security/advisori… | x_refsource_CONFIRM |
| https://github.com/twigphp/Twig/commit/09c6706407… | x_refsource_MISC |
| https://github.com/twigphp/Twig/releases/tag/v3.27.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "Twig",
"vendor": "twigphp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.27.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Twig is a template language for PHP. Prior to 3.27.0, the column filter passes the active sandbox state as a boolean but does not forward the current Source to SandboxExtension::checkPropertyAllowed(), so SourcePolicyInterface decisions are lost and a template author can read public or magic properties not allowed by the sandbox policy. This issue is fixed in version 3.27.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:27:21.812Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/twigphp/Twig/security/advisories/GHSA-h8vq-8gpg-mhcg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-h8vq-8gpg-mhcg"
},
{
"name": "https://github.com/twigphp/Twig/commit/09c6706407ed7b1cb2d7d1408004f811e47e0424",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/commit/09c6706407ed7b1cb2d7d1408004f811e47e0424"
},
{
"name": "https://github.com/twigphp/Twig/releases/tag/v3.27.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/releases/tag/v3.27.0"
}
],
"source": {
"advisory": "GHSA-h8vq-8gpg-mhcg",
"discovery": "UNKNOWN"
},
"title": "Twig: Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48808",
"datePublished": "2026-07-14T21:27:21.812Z",
"dateReserved": "2026-05-22T20:57:10.976Z",
"dateUpdated": "2026-07-14T21:27:21.812Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48805 (GCVE-0-2026-48805)
Vulnerability from cvelistv5 – Published: 2026-07-14 21:26 – Updated: 2026-07-14 21:26
VLAI
EPSS
VEX
Title
Twig: Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php`
Summary
Twig is a template language for PHP. Prior to 3.27.0, deprecated internal wrappers in src/Resources/core.php do not forward the current sandbox state to CoreExtension::checkArrow(), arraySome(), and arrayEvery(), allowing legacy calls such as twig_array_some(), twig_array_every(), and twig_check_arrow_in_sandbox() to bypass sandbox callable restrictions. This issue is fixed in version 3.27.0.
Severity
CWE
- CWE-693 - Protection Mechanism Failure
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/twigphp/Twig/security/advisori… | x_refsource_CONFIRM |
| https://github.com/twigphp/Twig/commit/e235cae3a1… | x_refsource_MISC |
| https://github.com/twigphp/Twig/releases/tag/v3.27.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "Twig",
"vendor": "twigphp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.27.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Twig is a template language for PHP. Prior to 3.27.0, deprecated internal wrappers in src/Resources/core.php do not forward the current sandbox state to CoreExtension::checkArrow(), arraySome(), and arrayEvery(), allowing legacy calls such as twig_array_some(), twig_array_every(), and twig_check_arrow_in_sandbox() to bypass sandbox callable restrictions. This issue is fixed in version 3.27.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:26:34.876Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/twigphp/Twig/security/advisories/GHSA-p42q-9prx-q5wq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-p42q-9prx-q5wq"
},
{
"name": "https://github.com/twigphp/Twig/commit/e235cae3a1d1e23edc24df4d675f18108c6b167b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/commit/e235cae3a1d1e23edc24df4d675f18108c6b167b"
},
{
"name": "https://github.com/twigphp/Twig/releases/tag/v3.27.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/releases/tag/v3.27.0"
}
],
"source": {
"advisory": "GHSA-p42q-9prx-q5wq",
"discovery": "UNKNOWN"
},
"title": "Twig: Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48805",
"datePublished": "2026-07-14T21:26:34.876Z",
"dateReserved": "2026-05-22T20:57:10.975Z",
"dateUpdated": "2026-07-14T21:26:34.876Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49981 (GCVE-0-2026-49981)
Vulnerability from cvelistv5 – Published: 2026-07-14 21:26 – Updated: 2026-07-14 21:26
VLAI
EPSS
VEX
Title
Twig: Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders for a cached `Template`
Summary
Twig is a template language for PHP. Prior to 3.27.0, the per-template filter, tag, and function allow-list verdict is computed when a Template instance is constructed and can remain cached after sandbox state changes between renders, allowing a later sandboxed render to reuse a template that was originally checked with a different or empty policy. This issue is fixed in version 3.27.0.
Severity
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/twigphp/Twig/security/advisori… | x_refsource_CONFIRM |
| https://github.com/twigphp/Twig/commit/23eb6eb126… | x_refsource_MISC |
| https://github.com/twigphp/Twig/releases/tag/v3.27.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "Twig",
"vendor": "twigphp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.27.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Twig is a template language for PHP. Prior to 3.27.0, the per-template filter, tag, and function allow-list verdict is computed when a Template instance is constructed and can remain cached after sandbox state changes between renders, allowing a later sandboxed render to reuse a template that was originally checked with a different or empty policy. This issue is fixed in version 3.27.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:26:00.460Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/twigphp/Twig/security/advisories/GHSA-529h-vh3j-85hq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-529h-vh3j-85hq"
},
{
"name": "https://github.com/twigphp/Twig/commit/23eb6eb1267cb0d303b91eb5cff9b0c559c538a4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/commit/23eb6eb1267cb0d303b91eb5cff9b0c559c538a4"
},
{
"name": "https://github.com/twigphp/Twig/releases/tag/v3.27.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/releases/tag/v3.27.0"
}
],
"source": {
"advisory": "GHSA-529h-vh3j-85hq",
"discovery": "UNKNOWN"
},
"title": "Twig: Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders for a cached `Template`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-49981",
"datePublished": "2026-07-14T21:26:00.460Z",
"dateReserved": "2026-06-02T18:30:51.282Z",
"dateUpdated": "2026-07-14T21:26:00.460Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46637 (GCVE-0-2026-46637)
Vulnerability from cvelistv5 – Published: 2026-07-14 21:25 – Updated: 2026-07-14 21:25
VLAI
EPSS
VEX
Title
Twig: HTML-output filters in twig/* extras incorrectly declared `is_safe => ['all']`
Summary
Twig is a template language for PHP. Prior to 3.26.0, several filters in twig/markdown-extra and twig/cssinliner-extra are registered with is_safe => [all], causing Twig to treat plain text or HTML output as safe in HTML, JavaScript, CSS, URL, and other contexts where the output is not properly escaped. This issue is fixed in version 3.26.0.
Severity
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/twigphp/Twig/security/advisori… | x_refsource_CONFIRM |
| https://github.com/twigphp/Twig/commit/84982072c7… | x_refsource_MISC |
| https://github.com/twigphp/Twig/commit/e36489d352… | x_refsource_MISC |
| https://github.com/twigphp/Twig/releases/tag/v3.26.0 | x_refsource_MISC |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| twigphp | Twig |
Affected:
< 3.26.0
|
|
| twig | cssinliner-extra |
Affected:
< 3.26.0
|
|
| twig | markdown-extra |
Affected:
< 3.26.0
|
{
"containers": {
"cna": {
"affected": [
{
"product": "Twig",
"vendor": "twigphp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.26.0"
}
]
},
{
"product": "cssinliner-extra",
"vendor": "twig",
"versions": [
{
"status": "affected",
"version": "\u003c 3.26.0"
}
]
},
{
"product": "markdown-extra",
"vendor": "twig",
"versions": [
{
"status": "affected",
"version": "\u003c 3.26.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Twig is a template language for PHP. Prior to 3.26.0, several filters in twig/markdown-extra and twig/cssinliner-extra are registered with is_safe =\u003e [all], causing Twig to treat plain text or HTML output as safe in HTML, JavaScript, CSS, URL, and other contexts where the output is not properly escaped. This issue is fixed in version 3.26.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:25:20.141Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/twigphp/Twig/security/advisories/GHSA-jv8m-2544-3pg3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-jv8m-2544-3pg3"
},
{
"name": "https://github.com/twigphp/Twig/commit/84982072c79a7417b0d158a401d91344f3658299",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/commit/84982072c79a7417b0d158a401d91344f3658299"
},
{
"name": "https://github.com/twigphp/Twig/commit/e36489d3521ecbfc08bdcc61294302557035f14a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/commit/e36489d3521ecbfc08bdcc61294302557035f14a"
},
{
"name": "https://github.com/twigphp/Twig/releases/tag/v3.26.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/releases/tag/v3.26.0"
}
],
"source": {
"advisory": "GHSA-jv8m-2544-3pg3",
"discovery": "UNKNOWN"
},
"title": "Twig: HTML-output filters in twig/* extras incorrectly declared `is_safe =\u003e [\u0027all\u0027]`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46637",
"datePublished": "2026-07-14T21:25:20.141Z",
"dateReserved": "2026-05-15T20:11:54.584Z",
"dateUpdated": "2026-07-14T21:25:20.141Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46638 (GCVE-0-2026-46638)
Vulnerability from cvelistv5 – Published: 2026-07-14 21:23 – Updated: 2026-07-14 21:23
VLAI
EPSS
VEX
Title
Twig: `{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomplete fix for CVE-2024-45411)
Summary
Twig is a template language for PHP. Prior to 3.26.0, {% sandbox %}{% include %} can include a template that was previously loaded outside the sandbox without re-invoking checkSecurity(), allowing the cached template to use tags, filters, and functions that should have been denied by SecurityPolicy::checkSecurity(). This issue is fixed in version 3.26.0.
Severity
CWE
- CWE-693 - Protection Mechanism Failure
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/twigphp/Twig/security/advisori… | x_refsource_CONFIRM |
| https://github.com/twigphp/Twig/commit/819c6a89fe… | x_refsource_MISC |
| https://github.com/twigphp/Twig/releases/tag/v3.26.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "Twig",
"vendor": "twigphp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.26.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Twig is a template language for PHP. Prior to 3.26.0, {% sandbox %}{% include %} can include a template that was previously loaded outside the sandbox without re-invoking checkSecurity(), allowing the cached template to use tags, filters, and functions that should have been denied by SecurityPolicy::checkSecurity(). This issue is fixed in version 3.26.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:23:50.961Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/twigphp/Twig/security/advisories/GHSA-7fxw-r6jv-74c8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-7fxw-r6jv-74c8"
},
{
"name": "https://github.com/twigphp/Twig/commit/819c6a89fe0f261b8555c4f4d5e27d31984223ea",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/commit/819c6a89fe0f261b8555c4f4d5e27d31984223ea"
},
{
"name": "https://github.com/twigphp/Twig/releases/tag/v3.26.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/releases/tag/v3.26.0"
}
],
"source": {
"advisory": "GHSA-7fxw-r6jv-74c8",
"discovery": "UNKNOWN"
},
"title": "Twig: `{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomplete fix for CVE-2024-45411)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46638",
"datePublished": "2026-07-14T21:23:50.961Z",
"dateReserved": "2026-05-15T20:11:54.584Z",
"dateUpdated": "2026-07-14T21:23:50.961Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46640 (GCVE-0-2026-46640)
Vulnerability from cvelistv5 – Published: 2026-07-14 21:22 – Updated: 2026-07-14 21:22
VLAI
EPSS
VEX
Title
Twig: Arbitrary PHP code execution via `_self.(<string>)` macro-reference compilation
Summary
Twig is a template language for PHP. From 3.15.0 until 3.26.0, _self.(<string>) and import-alias dynamic attribute syntax can concatenate an attacker-controlled string into a MacroReferenceExpression name without identifier validation, causing raw PHP to be emitted into the generated template source and executed at template-load time. This issue is fixed in version 3.26.0.
Severity
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/twigphp/Twig/security/advisori… | x_refsource_CONFIRM |
| https://github.com/twigphp/Twig/commit/324fa60545… | x_refsource_MISC |
| https://github.com/twigphp/Twig/releases/tag/v3.26.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "Twig",
"vendor": "twigphp",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.15.0, \u003c 3.26.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Twig is a template language for PHP. From 3.15.0 until 3.26.0, _self.(\u003cstring\u003e) and import-alias dynamic attribute syntax can concatenate an attacker-controlled string into a MacroReferenceExpression name without identifier validation, causing raw PHP to be emitted into the generated template source and executed at template-load time. This issue is fixed in version 3.26.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:22:57.332Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/twigphp/Twig/security/advisories/GHSA-45vw-wh46-2vx8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-45vw-wh46-2vx8"
},
{
"name": "https://github.com/twigphp/Twig/commit/324fa60545694fa6abe85ded9befcb82e1066bc2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/commit/324fa60545694fa6abe85ded9befcb82e1066bc2"
},
{
"name": "https://github.com/twigphp/Twig/releases/tag/v3.26.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/releases/tag/v3.26.0"
}
],
"source": {
"advisory": "GHSA-45vw-wh46-2vx8",
"discovery": "UNKNOWN"
},
"title": "Twig: Arbitrary PHP code execution via `_self.(\u003cstring\u003e)` macro-reference compilation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46640",
"datePublished": "2026-07-14T21:22:57.332Z",
"dateReserved": "2026-05-15T20:11:54.584Z",
"dateUpdated": "2026-07-14T21:22:57.332Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46629 (GCVE-0-2026-46629)
Vulnerability from cvelistv5 – Published: 2026-07-14 21:22 – Updated: 2026-07-14 21:22
VLAI
EPSS
VEX
Title
Twig: Unbounded formatter memoisation in twig/intl-extra keyed on template-controlled arguments
Summary
Twig is a template language for PHP. Prior to 3.26.0, twig/intl-extra memoises IntlDateFormatter and NumberFormatter instances in arrays keyed by template-controlled filter arguments such as locale, pattern, and attrs, allowing a template to allocate many ICU formatter objects that remain pinned for the lifetime of the Twig\Environment. This issue is fixed in version 3.26.0.
Severity
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/twigphp/Twig/security/advisori… | x_refsource_CONFIRM |
| https://github.com/twigphp/Twig/commit/6add9066fc… | x_refsource_MISC |
| https://github.com/twigphp/Twig/releases/tag/v3.26.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "Twig",
"vendor": "twigphp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.26.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Twig is a template language for PHP. Prior to 3.26.0, twig/intl-extra memoises IntlDateFormatter and NumberFormatter instances in arrays keyed by template-controlled filter arguments such as locale, pattern, and attrs, allowing a template to allocate many ICU formatter objects that remain pinned for the lifetime of the Twig\\Environment. This issue is fixed in version 3.26.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:22:15.595Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/twigphp/Twig/security/advisories/GHSA-35wc-cvqg-78fp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-35wc-cvqg-78fp"
},
{
"name": "https://github.com/twigphp/Twig/commit/6add9066fc5c0455eb764c1f3af6e4e4e3562419",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/commit/6add9066fc5c0455eb764c1f3af6e4e4e3562419"
},
{
"name": "https://github.com/twigphp/Twig/releases/tag/v3.26.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/releases/tag/v3.26.0"
}
],
"source": {
"advisory": "GHSA-35wc-cvqg-78fp",
"discovery": "UNKNOWN"
},
"title": "Twig: Unbounded formatter memoisation in twig/intl-extra keyed on template-controlled arguments"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46629",
"datePublished": "2026-07-14T21:22:15.595Z",
"dateReserved": "2026-05-15T19:34:14.013Z",
"dateUpdated": "2026-07-14T21:22:15.595Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47730 (GCVE-0-2026-47730)
Vulnerability from cvelistv5 – Published: 2026-07-14 21:21 – Updated: 2026-07-14 21:21
VLAI
EPSS
VEX
Title
Twig: XSS in profiler HtmlDumper via unescaped template and profile names
Summary
Twig is a template language for PHP. From 3.0.0 until 3.26.0, Twig\Profiler\Dumper\HtmlDumper writes Profile::getTemplate() and Profile::getName() into HTML output without escaping, allowing attacker-controlled template or profile names to inject arbitrary HTML when a browser renders the profiler dump. This issue is fixed in version 3.26.0.
Severity
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/twigphp/Twig/security/advisori… | x_refsource_CONFIRM |
| https://github.com/twigphp/Twig/commit/a5f6e8793e… | x_refsource_MISC |
| https://github.com/twigphp/Twig/releases/tag/v3.26.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "Twig",
"vendor": "twigphp",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.26.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Twig is a template language for PHP. From 3.0.0 until 3.26.0, Twig\\Profiler\\Dumper\\HtmlDumper writes Profile::getTemplate() and Profile::getName() into HTML output without escaping, allowing attacker-controlled template or profile names to inject arbitrary HTML when a browser renders the profiler dump. This issue is fixed in version 3.26.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:21:10.185Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/twigphp/Twig/security/advisories/GHSA-2g2g-8p8h-fgwm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-2g2g-8p8h-fgwm"
},
{
"name": "https://github.com/twigphp/Twig/commit/a5f6e8793e603ef34fa86aed2a72f9fbe0b43745",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/commit/a5f6e8793e603ef34fa86aed2a72f9fbe0b43745"
},
{
"name": "https://github.com/twigphp/Twig/releases/tag/v3.26.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/releases/tag/v3.26.0"
}
],
"source": {
"advisory": "GHSA-2g2g-8p8h-fgwm",
"discovery": "UNKNOWN"
},
"title": "Twig: XSS in profiler HtmlDumper via unescaped template and profile names"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-47730",
"datePublished": "2026-07-14T21:21:10.185Z",
"dateReserved": "2026-05-19T21:29:25.483Z",
"dateUpdated": "2026-07-14T21:21:10.185Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46628 (GCVE-0-2026-46628)
Vulnerability from cvelistv5 – Published: 2026-07-14 21:19 – Updated: 2026-07-14 21:19
VLAI
EPSS
VEX
Title
Twig: The `spaceless` filter implicitly marks its output as safe
Summary
Twig is a template language for PHP. Prior to 3.26.0, the deprecated spaceless filter is registered as safe for HTML, causing Twig autoescaping to emit attacker-controlled markup unescaped when spaceless is applied to untrusted input. This issue is fixed in version 3.26.0.
Severity
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/twigphp/Twig/security/advisori… | x_refsource_CONFIRM |
| https://github.com/twigphp/Twig/commit/3190b9ae12… | x_refsource_MISC |
| https://github.com/twigphp/Twig/releases/tag/v3.26.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "Twig",
"vendor": "twigphp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.26.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Twig is a template language for PHP. Prior to 3.26.0, the deprecated spaceless filter is registered as safe for HTML, causing Twig autoescaping to emit attacker-controlled markup unescaped when spaceless is applied to untrusted input. This issue is fixed in version 3.26.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:19:54.501Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/twigphp/Twig/security/advisories/GHSA-4j38-f5cw-54h7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-4j38-f5cw-54h7"
},
{
"name": "https://github.com/twigphp/Twig/commit/3190b9ae12614dfd58cc5d8f394bac4708b17913",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/commit/3190b9ae12614dfd58cc5d8f394bac4708b17913"
},
{
"name": "https://github.com/twigphp/Twig/releases/tag/v3.26.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/releases/tag/v3.26.0"
}
],
"source": {
"advisory": "GHSA-4j38-f5cw-54h7",
"discovery": "UNKNOWN"
},
"title": "Twig: The `spaceless` filter implicitly marks its output as safe"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46628",
"datePublished": "2026-07-14T21:19:54.501Z",
"dateReserved": "2026-05-15T19:34:14.013Z",
"dateUpdated": "2026-07-14T21:19:54.501Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46634 (GCVE-0-2026-46634)
Vulnerability from cvelistv5 – Published: 2026-07-14 21:19 – Updated: 2026-07-14 21:19
VLAI
EPSS
VEX
Title
Twig: `template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name
Summary
Twig is a template language for PHP. From 3.9.0 until 3.26.0, template_from_string() compiles an inner template under a synthesized __string_template__<hash> name that can fall outside a SourcePolicyInterface sandbox decision, allowing a sandboxed template that can call template_from_string and include to render an inner template without security policy enforcement. This issue is fixed in version 3.26.0.
Severity
CWE
- CWE-693 - Protection Mechanism Failure
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/twigphp/Twig/security/advisori… | x_refsource_CONFIRM |
| https://github.com/twigphp/Twig/commit/1cde8f2b62… | x_refsource_MISC |
| https://github.com/twigphp/Twig/releases/tag/v3.26.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "Twig",
"vendor": "twigphp",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.9.0, \u003c 3.26.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Twig is a template language for PHP. From 3.9.0 until 3.26.0, template_from_string() compiles an inner template under a synthesized __string_template__\u003chash\u003e name that can fall outside a SourcePolicyInterface sandbox decision, allowing a sandboxed template that can call template_from_string and include to render an inner template without security policy enforcement. This issue is fixed in version 3.26.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:19:17.804Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/twigphp/Twig/security/advisories/GHSA-24x9-r6q4-q93w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-24x9-r6q4-q93w"
},
{
"name": "https://github.com/twigphp/Twig/commit/1cde8f2b62463f85d47995fc25f8241cb409d915",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/commit/1cde8f2b62463f85d47995fc25f8241cb409d915"
},
{
"name": "https://github.com/twigphp/Twig/releases/tag/v3.26.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/releases/tag/v3.26.0"
}
],
"source": {
"advisory": "GHSA-24x9-r6q4-q93w",
"discovery": "UNKNOWN"
},
"title": "Twig: `template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46634",
"datePublished": "2026-07-14T21:19:17.804Z",
"dateReserved": "2026-05-15T20:11:54.583Z",
"dateUpdated": "2026-07-14T21:19:17.804Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46627 (GCVE-0-2026-46627)
Vulnerability from cvelistv5 – Published: 2026-07-14 21:15 – Updated: 2026-07-14 21:15
VLAI
EPSS
VEX
Title
Twig: Sandbox resource exhaustion via unbounded `for` / `range()`
Summary
Twig is a template language for PHP. Prior to 3.26.0, the Twig sandbox does not prevent a template from consuming CPU, memory, or wall-clock time, even under the strictest allow-list, allowing untrusted templates to cause resource exhaustion. This issue is addressed in version 3.26.0 by documenting that the sandbox does not protect against resource exhaustion.
Severity
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/twigphp/Twig/security/advisori… | x_refsource_CONFIRM |
| https://github.com/twigphp/Twig/commit/6bfa285e2f… | x_refsource_MISC |
| https://github.com/twigphp/Twig/releases/tag/v3.26.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "Twig",
"vendor": "twigphp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.26.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Twig is a template language for PHP. Prior to 3.26.0, the Twig sandbox does not prevent a template from consuming CPU, memory, or wall-clock time, even under the strictest allow-list, allowing untrusted templates to cause resource exhaustion. This issue is addressed in version 3.26.0 by documenting that the sandbox does not protect against resource exhaustion."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:15:17.366Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/twigphp/Twig/security/advisories/GHSA-923g-j88x-j34q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-923g-j88x-j34q"
},
{
"name": "https://github.com/twigphp/Twig/commit/6bfa285e2f98651adb7aa480bf83a741d154f09f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/commit/6bfa285e2f98651adb7aa480bf83a741d154f09f"
},
{
"name": "https://github.com/twigphp/Twig/releases/tag/v3.26.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twigphp/Twig/releases/tag/v3.26.0"
}
],
"source": {
"advisory": "GHSA-923g-j88x-j34q",
"discovery": "UNKNOWN"
},
"title": "Twig: Sandbox resource exhaustion via unbounded `for` / `range()`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46627",
"datePublished": "2026-07-14T21:15:17.366Z",
"dateReserved": "2026-05-15T19:34:14.013Z",
"dateUpdated": "2026-07-14T21:15:17.366Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}