Lucene search
+L

7 matches found

nvd
nvd
added 2 days ago9 views

CVE-2026-48807

Twig is a template language for PHP. Prior to 3.27.0, the sandbox toString checks do not fully cover Traversable values passed to join and replace filters or operands evaluated by the in and not in operators, allowing contained Stringable objects to be coerced to strings without consulting the...

7.1CVSS0.00235EPSS
Exploits0References2
nvd
nvd
added 2 days ago8 views

CVE-2026-48806

Twig is a template language for PHP. Prior to 3.27.0, ArrayExpression does not guard dynamic mapping keys that are coerced to strings, allowing PHP to invoke toString on a Stringable object used as a mapping key without calling SandboxExtension::ensureToStringAllowed. This issue is fixed in versi...

7.1CVSS0.00238EPSS
Exploits0References3
nvd
nvd
added 2 days ago5 views

CVE-2026-47732

Twig is a template language for PHP. Prior to 3.26.0, several Twig language constructs trigger PHP string coercion on a Stringable operand without consulting SecurityPolicy::checkMethodAllowed, allowing a sandboxed template author to invoke toString on objects reachable in the render context...

7.1CVSS0.00371EPSS
Exploits0References3
cve
cve
added 2 days ago29 views

CVE-2026-48807

CVE-2026-48807 - Twig sandbox bypass via Traversable in join/replace and in/not in operators Affected: Twig template engine for PHP (prior to 3.27.0). Issue: The sandboxed __toString() checks fail to fully cover Traversable values passed to join and replace filters or operands evaluated by in/not...

7.1CVSS6.1AI score0.00235EPSS
Exploits0References2
cve
cve
added 2 days ago31 views

CVE-2026-48806

Twig’s vulnerability CVE-2026-48806 concerns dynamic mapping keys in ArrayExpression not being wrapped for string coercion, allowing PHP to call __toString() on a Stringable key without SandboxExtension::ensureToStringAllowed(). The issue affects Twig

7.1CVSS6.1AI score0.00238EPSS
Exploits0References3
osv
osv
added 2026/06/30 6:43 p.m.8 views

GHSA-8X9C-RMQH-456C Twig: Sandbox `__toString()` policy bypass via `Traversable` in `join` and `replace` filters

Description This is a residual bypass of CVE-2026-47732 / GHSA-pr2w-4gpj-cpq4 left after the initial fix for unguarded toString calls. It covers two related coercion points that were not caught by the original patch. Traversable in join and replace filters. SandboxExtension::ensureToStringAllowed...

7.1CVSS5.8AI score0.00235EPSS
Exploits0References5
osv
osv
added 2026/06/05 9:47 p.m.10 views

GHSA-PR2W-4GPJ-CPQ4 Twig: Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points

Description SandboxNodeVisitor enforces SecurityPolicy::checkMethodAllowed for implicit toString calls by wrapping selected AST nodes in CheckToStringNode. The set of wrapped nodes is incomplete, and several Twig language constructs still trigger PHP string coercion on a Stringable operand withou...

7.1CVSS5.5AI score0.00371EPSS
Exploits0References5
Rows per page
Query Builder