CVE-2026-11407

PIMCORE CMS/DXP 12.3.8 contains a sandbox bypass in the Twig SecurityPolicy (checkMethodAllowed and checkPropertyAllowed). Authenticated administrative attackers can craft malicious Twig templates via DataObject ClassDefinition Layout\Text to execute arbitrary PHP object methods, perform file rea...

Twig: Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points

Description SandboxNodeVisitor enforces SecurityPolicy::checkMethodAllowed for implicit toString calls by wrapping selected AST nodes in CheckToStringNode. The set of wrapped nodes is incomplete, and several Twig language constructs still trigger PHP string coercion on a Stringable operand withou...

GHSA-PR2W-4GPJ-CPQ4 Twig: Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points

Description SandboxNodeVisitor enforces SecurityPolicy::checkMethodAllowed for implicit toString calls by wrapping selected AST nodes in CheckToStringNode. The set of wrapped nodes is incomplete, and several Twig language constructs still trigger PHP string coercion on a Stringable operand withou...

Twig: Possible sandbox bypass when using a source policy

Description When using the sandbox with a SourcePolicyInterface, Twig does not always apply the sandbox restriction that forbids non-Closure callbacks for callback-accepting filters. The issue affects the sort, filter, map, and reduce filters. In the affected versions, the runtime check that...

CVE-2026-42610

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged user EX: Content Editor with only pages.update permissions can bypass the existing Twig sandbox restrictions by utilizing the grav'accounts' service. Attacker can programmatically load administrative user objects and extra...

CVE-2026-26274

October is a Content Management System CMS and web platform. Prior to 3.7.14 and 4.1.10, a vulnerability was identified in the Twig sandbox security policy that allowed database write operations when cms.safemode is enabled. Backend users with Developer permissions could use Twig template markup ...

CVE-2026-24425

Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary PHP callables to sort, filter, map, and reduce filters. Attackers can exploit the runtime check that...

CVE-2026-24425

Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary PHP callables to sort, filter, map, and reduce filters. Attackers can exploit the runtime check that...

CVE-2026-24425

Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary PHP callables to sort, filter, map, and reduce filters. Attackers can exploit the runtime check that...

Incorrect Authorization

Overview twig/twig is a flexible, fast, and secure template language for PHP. Affected versions of this package are vulnerable to Incorrect Authorization via the column filter’s use of PHP arraycolumn. An attacker can bypass Twig sandbox property restrictions because arraycolumn accesses object...

Allocation of Resources Without Limits or Throttling

Overview twig/twig is a flexible, fast, and secure template language for PHP. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via untrusted Twig template evaluation within the sandbox. An attacker can cause denial of service by supplying...

PT-2026-42168

Name of the Vulnerable Software and Affected Versions Twig versions 2.16.x Twig versions 3.9.0 through 3.25.x Description A sandbox bypass exists when using a SourcePolicyInterface. This occurs because a runtime check fails to use the current template source, allowing attackers with template...

EUVD-2026-29135

Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray...

Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray()

Summary The Twig sandbox allow-list permits any user with the admin.pages role to call config.toArray from within a page body, dumping the entire merged site configuration — including all plugin secrets SMTP passwords, AWS keys, OAuth client secrets, API tokens — into the rendered HTML. No...

GHSA-J274-39QW-32C9 Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray()

Summary The Twig sandbox allow-list permits any user with the admin.pages role to call config.toArray from within a page body, dumping the entire merged site configuration — including all plugin secrets SMTP passwords, AWS keys, OAuth client secrets, API tokens — into the rendered HTML. No...

CVE-2026-42610

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged user EX: Content Editor with only pages.update permissions can bypass the existing Twig sandbox restrictions by utilizing the grav'accounts' service. Attacker can programmatically load administrative user objects and extra...

CVE-2026-44738 Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray()

Grav is a file-based Web platform. Prior to 2.0.0-rc.2, the Twig sandbox allow-list permits any user with the admin.pages role to call config.toArray from within a page body, dumping the entire merged site configuration — including all plugin secrets SMTP passwords, AWS keys, OAuth client secrets...

CVE-2026-44738

Grav is a file-based Web platform. Prior to 2.0.0-rc.2, the Twig sandbox allow-list permits any user with the admin.pages role to call config.toArray from within a page body, dumping the entire merged site configuration — including all plugin secrets SMTP passwords, AWS keys, OAuth client secrets...

CVE-2026-44738 Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray()

Grav is a file-based Web platform. Prior to 2.0.0-rc.2, the Twig sandbox allow-list permits any user with the admin.pages role to call config.toArray from within a page body, dumping the entire merged site configuration — including all plugin secrets SMTP passwords, AWS keys, OAuth client secrets...

CVE-2026-44738

Technical details are not publicly available in the provided documents. Monitor for updates from authoritative sources for affected software, version, and remediation.