9 matches found
CVE-2026-47732
A flaw was found in Twig, a template language for PHP. This vulnerability allows a sandboxed template author to bypass security policies by triggering PHP string coercion on specific language constructs. This can lead to information disclosure, as an attacker may be able to invoke toString on...
CVE-2026-47732
Twig Sandbox: multiple __toString() policy bypasses via unguarded string coercion points existed prior to 3.26.0, enabling string coercion of Stringable operands through various constructs (conditional expressions, matches operator, loose comparisons, tests, template-loading tags, dynamic attribu...
GHSA-5V5V-WW74-355V Twig: Sandbox `__toString()` policy bypass via dynamic mapping keys
Description This is a residual bypass of CVE-2026-47732 / GHSA-pr2w-4gpj-cpq4 left after the initial fix for unguarded toString calls. In 3.26.0 the sandbox visitor was extended to wrap every child node that its parent will string-coerce at runtime with CheckToStringNode, gated by the new...
GHSA-PR2W-4GPJ-CPQ4 Twig: Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points
Description SandboxNodeVisitor enforces SecurityPolicy::checkMethodAllowed for implicit toString calls by wrapping selected AST nodes in CheckToStringNode. The set of wrapped nodes is incomplete, and several Twig language constructs still trigger PHP string coercion on a Stringable operand withou...
Twig: Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points
Description SandboxNodeVisitor enforces SecurityPolicy::checkMethodAllowed for implicit toString calls by wrapping selected AST nodes in CheckToStringNode. The set of wrapped nodes is incomplete, and several Twig language constructs still trigger PHP string coercion on a Stringable operand withou...
Arbitrary Code Execution
SandboxJS is vulnerable to a sandbox escape vulnerability. The vulnerability is due to inconsistent key validation during property access, where the key is sanitized using hasOwnPropertykey but not strictly enforced as a string, allowing attackers to supply crafted objects that coerce to differen...
CVE-2026-25641
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, there is a sandbox escape vulnerability due to a mismatch between the key on which the validation is performed and the key used for accessing properties. Even though the key used in property accesses is annotated as string, this is...
CVE-2026-25641
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, there is a sandbox escape vulnerability due to a mismatch between the key on which the validation is performed and the key used for accessing properties. Even though the key used in property accesses is annotated as string, this is...
Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points
More info at https://symfony.com/cve-2026-47732...