| CVE-2015-7809 |
medium |
— |
6.8 |
|
|
|
11y ago |
Twig remote code execution in templates |
| CVE-2026-46634 |
medium |
— |
5.5 |
|
|
|
15d ago |
Twig: `template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name |
| CVE-2026-46638 |
medium |
— |
5.5 |
|
|
|
15d ago |
Twig: `{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomplete fix for CVE-2024-45411) |
| CVE-2026-46628 |
low |
— |
2.5 |
|
|
|
15d ago |
Twig: The `spaceless` filter implicitly marks its output as safe |
| CVE-2026-46635 |
low |
— |
2.5 |
|
|
|
15d ago |
Twig: Sandbox property allowlist bypass via the `column` filter (array_column on objects) |
| CVE-2026-48805 |
unknown |
— |
— |
|
|
|
8d ago |
Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php` |
| CVE-2026-48807 |
unknown |
— |
— |
|
|
|
8d ago |
Sandbox `__toString()` policy bypass via `Traversable` in `join`/`replace` and `in`/`not in` operators |
| CVE-2026-46636 |
unknown |
— |
— |
|
|
|
8d ago |
Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders |
| CVE-2026-48808 |
unknown |
— |
— |
|
|
|
8d ago |
Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface` |
| CVE-2026-48806 |
unknown |
— |
— |
|
|
|
8d ago |
Sandbox `__toString()` policy bypass via dynamic mapping keys |
| CVE-2026-47730 |
unknown |
— |
— |
|
|
|
15d ago |
XSS in profiler HtmlDumper via unescaped template and profile names |
| CVE-2026-46627 |
unknown |
— |
— |
|
|
|
15d ago |
Sandbox does not protect against resource exhaustion |
| CVE-2026-47732 |
unknown |
— |
— |
|
|
|
15d ago |
Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points |
| CVE-2025-24374 |
unknown |
— |
— |
|
|
|
1y ago |
Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0. |
| CVE-2024-51755 |
unknown |
— |
— |
|
|
|
2y ago |
Twig is a template language for PHP. In a sandbox, an attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property polic… |
| CVE-2024-51754 |
unknown |
— |
— |
|
|
|
2y ago |
Twig is a template language for PHP. In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of … |
| CVE-2024-45411 |
unknown |
— |
— |
|
|
|
2y ago |
Twig is a template language for PHP. Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. This vulnerability i… |
| CVE-2022-39261 |
unknown |
— |
— |
|
|
|
4y ago |
Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a us… |
| CVE-2022-23614 |
unknown |
— |
— |
|
|
|
4y ago |
Twig is an open source template language for PHP. When in a sandbox mode, the `arrow` parameter of the `sort` filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In… |
