| CVE-2026-24425 |
critical |
9.9 |
9.9 |
|
|
|
16d ago |
Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary PH… |
| CVE-2026-46633 |
critical |
— |
9.5 |
|
|
|
16d ago |
Twig: PHP code injection via `{% use %}` template name |
| CVE-2015-7809 |
medium |
— |
6.8 |
|
|
|
11y ago |
Twig remote code execution in templates |
| CVE-2026-46634 |
medium |
— |
5.5 |
|
|
|
16d ago |
Twig: `template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name |
| CVE-2026-46638 |
medium |
— |
5.5 |
|
|
|
16d ago |
Twig: `{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomplete fix for CVE-2024-45411) |
| CVE-2026-48808 |
unknown |
— |
— |
|
|
|
9d ago |
Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface` |
| CVE-2026-46636 |
unknown |
— |
— |
|
|
|
9d ago |
Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders |
| CVE-2026-48805 |
unknown |
— |
— |
|
|
|
9d ago |
Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php` |
| CVE-2026-48806 |
unknown |
— |
— |
|
|
|
9d ago |
Sandbox `__toString()` policy bypass via dynamic mapping keys |
| CVE-2026-48807 |
unknown |
— |
— |
|
|
|
9d ago |
Sandbox `__toString()` policy bypass via `Traversable` in `join`/`replace` and `in`/`not in` operators |
| CVE-2026-47732 |
unknown |
— |
— |
|
|
|
16d ago |
Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points |
| CVE-2026-46627 |
unknown |
— |
— |
|
|
|
16d ago |
Sandbox does not protect against resource exhaustion |
| CVE-2026-47730 |
unknown |
— |
— |
|
|
|
16d ago |
XSS in profiler HtmlDumper via unescaped template and profile names |
| CVE-2025-24374 |
unknown |
— |
— |
|
|
|
1y ago |
Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0. |
| CVE-2024-51755 |
unknown |
— |
— |
|
|
|
2y ago |
Twig is a template language for PHP. In a sandbox, an attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property polic… |
| CVE-2024-51754 |
unknown |
— |
— |
|
|
|
2y ago |
Twig is a template language for PHP. In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of … |
| CVE-2024-45411 |
unknown |
— |
— |
|
|
|
2y ago |
Twig is a template language for PHP. Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. This vulnerability i… |
| CVE-2022-39261 |
unknown |
— |
— |
|
|
|
4y ago |
Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a us… |
| CVE-2022-23614 |
unknown |
— |
— |
|
|
|
4y ago |
Twig is an open source template language for PHP. When in a sandbox mode, the `arrow` parameter of the `sort` filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In… |
