Package impact
Packagist / twig/twig
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-24425 | critical | 9.9 | 9.9 | 16d ago | Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary PH… | |||
| CVE-2026-46633 | critical | — | 9.5 | 16d ago | Twig: PHP code injection via `{% use %}` template name | |||
| CVE-2015-7809 | medium | — | 6.8 | 11y ago | Twig remote code execution in templates | |||
| CVE-2026-46634 | medium | — | 5.5 | 16d ago | Twig: `template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name | |||
| CVE-2026-46638 | medium | — | 5.5 | 16d ago | Twig: `{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomplete fix for CVE-2024-45411) |