Lucene search
+L

9 matches found

redhatcve
redhatcve
added yesterday4 views

CVE-2026-47732

A flaw was found in Twig, a template language for PHP. This vulnerability allows a sandboxed template author to bypass security policies by triggering PHP string coercion on specific language constructs. This can lead to information disclosure, as an attacker may be able to invoke toString on...

7.1CVSS6AI score0.00371EPSS
Exploits0References2
cve
cve
added 2 days ago20 views

CVE-2026-47732

Twig Sandbox: multiple __toString() policy bypasses via unguarded string coercion points existed prior to 3.26.0, enabling string coercion of Stringable operands through various constructs (conditional expressions, matches operator, loose comparisons, tests, template-loading tags, dynamic attribu...

7.1CVSS6.1AI score0.00371EPSS
Exploits0References3Affected Software1
osv
osv
added 2026/06/30 6:42 p.m.4 views

GHSA-5V5V-WW74-355V Twig: Sandbox `__toString()` policy bypass via dynamic mapping keys

Description This is a residual bypass of CVE-2026-47732 / GHSA-pr2w-4gpj-cpq4 left after the initial fix for unguarded toString calls. In 3.26.0 the sandbox visitor was extended to wrap every child node that its parent will string-coerce at runtime with CheckToStringNode, gated by the new...

7.1CVSS5.8AI score0.00238EPSS
Exploits0References5
osv
osv
added 2026/06/05 9:47 p.m.10 views

GHSA-PR2W-4GPJ-CPQ4 Twig: Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points

Description SandboxNodeVisitor enforces SecurityPolicy::checkMethodAllowed for implicit toString calls by wrapping selected AST nodes in CheckToStringNode. The set of wrapped nodes is incomplete, and several Twig language constructs still trigger PHP string coercion on a Stringable operand withou...

7.1CVSS5.5AI score0.00371EPSS
Exploits0References5
github
github
added 2026/06/05 9:47 p.m.13 views

Twig: Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points

Description SandboxNodeVisitor enforces SecurityPolicy::checkMethodAllowed for implicit toString calls by wrapping selected AST nodes in CheckToStringNode. The set of wrapped nodes is incomplete, and several Twig language constructs still trigger PHP string coercion on a Stringable operand withou...

7.1CVSS5.4AI score0.00371EPSS
Exploits0References5Affected Software1
veracode
veracode
added 2026/02/12 7:25 a.m.8 views

Arbitrary Code Execution

SandboxJS is vulnerable to a sandbox escape vulnerability. The vulnerability is due to inconsistent key validation during property access, where the key is sanitized using hasOwnPropertykey but not strictly enforced as a string, allowing attackers to supply crafted objects that coerce to differen...

10CVSS5.5AI score0.00489EPSS
Exploits1References3Affected Software1
redhatcve
redhatcve
added 2026/02/08 1:21 a.m.5 views

CVE-2026-25641

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, there is a sandbox escape vulnerability due to a mismatch between the key on which the validation is performed and the key used for accessing properties. Even though the key used in property accesses is annotated as string, this is...

10CVSS5.4AI score0.00489EPSS
Exploits1References1
nvd
nvd
added 2026/02/06 8:16 p.m.12 views

CVE-2026-25641

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, there is a sandbox escape vulnerability due to a mismatch between the key on which the validation is performed and the key used for accessing properties. Even though the key used in property accesses is annotated as string, this is...

10CVSS0.00489EPSS
Exploits1References3
friendsofphp
friendsofphp
added 1970/01/01 12:0 a.m.15 views

Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points

More info at https://symfony.com/cve-2026-47732...

7.1CVSS5.8AI score0.00371EPSS
Exploits0Affected Software1
Rows per page
Query Builder