3 matches found
CVE-2026-46639
Twig is a template language for PHP. From 3.24.0 until 3.26.0, object-destructuring assignment compiles CoreExtension::getAttribute with the sandbox argument hardcoded to false, disabling property and method policy checks and allowing an attacker with write access to a sandboxed Twig template to...
CVE-2026-46639 Twig: Sandbox property and method bypass via object-destructuring assignment
Twig is a template language for PHP. From 3.24.0 until 3.26.0, object-destructuring assignment compiles CoreExtension::getAttribute with the sandbox argument hardcoded to false, disabling property and method policy checks and allowing an attacker with write access to a sandboxed Twig template to...
CVE-2026-46639
Twig 3.24.0–3.26.0 contains a sandbox bypass in object-destructuring assignment: CoreExtension::getAttribute() is called with sandboxed flag set to false, bypassing security policy checks and allowing a sandboxed template to read public properties or call public getters on objects. The issue is f...