11 matches found
CVE-2026-48806
Twig is a template language for PHP. Prior to 3.27.0, ArrayExpression does not guard dynamic mapping keys that are coerced to strings, allowing PHP to invoke toString on a Stringable object used as a mapping key without calling SandboxExtension::ensureToStringAllowed. This issue is fixed in versi...
CVE-2026-48806
Twig (PHP) prior to 3.27.0 is vulnerable to a Sandbox __toString() policy bypass via dynamic mapping keys in ArrayExpression. The issue allows a Stringable object used as a mapping key to invoke its __toString() without SandboxExtension::ensureToStringAllowed(), enabling potential data exposure a...
CVE-2026-48806 Twig: Sandbox `__toString()` policy bypass via dynamic mapping keys
Twig is a template language for PHP. Prior to 3.27.0, ArrayExpression does not guard dynamic mapping keys that are coerced to strings, allowing PHP to invoke toString on a Stringable object used as a mapping key without calling SandboxExtension::ensureToStringAllowed. This issue is fixed in versi...
Twig: Sandbox `__toString()` policy bypass via dynamic mapping keys
Description This is a residual bypass of CVE-2026-47732 / GHSA-pr2w-4gpj-cpq4 left after the initial fix for unguarded toString calls. In 3.26.0 the sandbox visitor was extended to wrap every child node that its parent will string-coerce at runtime with CheckToStringNode, gated by the new...
GHSA-5V5V-WW74-355V Twig: Sandbox `__toString()` policy bypass via dynamic mapping keys
Description This is a residual bypass of CVE-2026-47732 / GHSA-pr2w-4gpj-cpq4 left after the initial fix for unguarded toString calls. In 3.26.0 the sandbox visitor was extended to wrap every child node that its parent will string-coerce at runtime with CheckToStringNode, gated by the new...
Incorrect Authorization
Overview twig/twig is a flexible, fast, and secure template language for PHP. Affected versions of this package are vulnerable to Incorrect Authorization via dynamic mapping key handling in ArrayExpression. An attacker can bypass the sandbox toString restrictions by using a stringable object as a...
CVE-2025-43757
A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.2, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7....
GHSA-M49P-6CJP-X2H3 Liferay Portal Vulnerable to Cross-Site Scripting via DDM Structure Field Labels
A stored DOM-based Cross-Site Scripting XSS vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.5, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and...
PT-2024-27444 · Elastic · Elasticsearch
Name of the Vulnerable Software and Affected Versions: Elasticsearch affected versions not specified Description: A flaw was discovered in Elasticsearch, affecting document ingestion when an index template contains a dynamic field mapping of passthrough type. Under certain circumstances, ingestin...
SUSE CVE-2024-37280
A flaw was discovered in Elasticsearch, affecting document ingestion when an index template contains a dynamic field mapping of "passthrough" type. Under certain circumstances, ingesting documents in this index would cause a StackOverflow exception to be thrown and ultimately lead to a Denial of...
Sandbox `__toString()` policy bypass via dynamic mapping keys
More info at https://symfony.com/blog/cve-2026-48806-sandbox-tostring-policy-bypass-via-dynamic-mapping-keys...