Lucene search
+L

1299 matches found

NVD
NVD
added 3 days ago5 views

CVE-2026-46640

Twig is a template language for PHP. From 3.15.0 until 3.26.0, self. and import-alias dynamic attribute syntax can concatenate an attacker-controlled string into a MacroReferenceExpression name without identifier validation, causing raw PHP to be emitted into the generated template source and...

8.8CVSS0.00405EPSS
Exploits0References3
NVD
NVD
added 3 days ago6 views

CVE-2026-46639

Twig is a template language for PHP. From 3.24.0 until 3.26.0, object-destructuring assignment compiles CoreExtension::getAttribute with the sandbox argument hardcoded to false, disabling property and method policy checks and allowing an attacker with write access to a sandboxed Twig template to...

7.1CVSS0.00351EPSS
Exploits0References2
NVD
NVD
added 3 days ago7 views

CVE-2026-46629

Twig is a template language for PHP. Prior to 3.26.0, twig/intl-extra memoises IntlDateFormatter and NumberFormatter instances in arrays keyed by template-controlled filter arguments such as locale, pattern, and attrs, allowing a template to allocate many ICU formatter objects that remain pinned...

6.5CVSS0.00302EPSS
Exploits0References3
NVD
NVD
added 3 days ago6 views

CVE-2026-46633

Twig is a template language for PHP. Prior to 3.26.0, Compiler::string does not escape single quotes when a template name from a % use % tag is placed inside a PHP single-quoted string literal, allowing a crafted template name to terminate the string and inject arbitrary PHP expressions into the...

9.8CVSS0.00642EPSS
Exploits0References4
NVD
NVD
added 3 days ago6 views

CVE-2026-46628

Twig is a template language for PHP. Prior to 3.26.0, the deprecated spaceless filter is registered as safe for HTML, causing Twig autoescaping to emit attacker-controlled markup unescaped when spaceless is applied to untrusted input. This issue is fixed in version 3.26.0...

5.4CVSS0.00169EPSS
Exploits0References3
NVD
NVD
added 3 days ago4 views

CVE-2026-46627

Twig is a template language for PHP. Prior to 3.26.0, the Twig sandbox does not prevent a template from consuming CPU, memory, or wall-clock time, even under the strictest allow-list, allowing untrusted templates to cause resource exhaustion. This issue is addressed in version 3.26.0 by documenti...

7.1CVSS0.00385EPSS
Exploits0References3
CVE
CVE
added 3 days ago34 views

CVE-2026-48807

Twig: The vulnerability CVE-2026-48807 affects Twig templates in PHP prior to 3.27.0 where sandbox __toString() checks do not fully cover Traversable values passed to join/replace filters or in/not in operators, allowing contained Stringable objects to be coerced to strings without sandbox policy...

9.1CVSS6.1AI score0.00235EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 3 days ago41 views

CVE-2026-48807 Twig: Sandbox `__toString()` policy bypass via `Traversable` in `join` and `replace` filters

Twig is a template language for PHP. Prior to 3.27.0, the sandbox toString checks do not fully cover Traversable values passed to join and replace filters or operands evaluated by the in and not in operators, allowing contained Stringable objects to be coerced to strings without consulting the...

7.1CVSS0.00235EPSS
Exploits0References2
OSV
OSV
added 3 days ago4 views

CVE-2026-48807 Twig: Sandbox `__toString()` policy bypass via `Traversable` in `join` and `replace` filters

Twig is a template language for PHP. Prior to 3.27.0, the sandbox toString checks do not fully cover Traversable values passed to join and replace filters or operands evaluated by the in and not in operators, allowing contained Stringable objects to be coerced to strings without consulting the...

7.1CVSS6.1AI score0.00235EPSS
Exploits0References4
CVE
CVE
added 3 days ago32 views

CVE-2026-48806

Twig (PHP) prior to 3.27.0 is vulnerable to a Sandbox __toString() policy bypass via dynamic mapping keys in ArrayExpression. The issue allows a Stringable object used as a mapping key to invoke its __toString() without SandboxExtension::ensureToStringAllowed(), enabling potential data exposure a...

9.1CVSS6.1AI score0.00238EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 3 days ago38 views

CVE-2026-48806 Twig: Sandbox `__toString()` policy bypass via dynamic mapping keys

Twig is a template language for PHP. Prior to 3.27.0, ArrayExpression does not guard dynamic mapping keys that are coerced to strings, allowing PHP to invoke toString on a Stringable object used as a mapping key without calling SandboxExtension::ensureToStringAllowed. This issue is fixed in versi...

7.1CVSS0.00238EPSS
Exploits0References3
OSV
OSV
added 3 days ago4 views

CVE-2026-48806 Twig: Sandbox `__toString()` policy bypass via dynamic mapping keys

Twig is a template language for PHP. Prior to 3.27.0, ArrayExpression does not guard dynamic mapping keys that are coerced to strings, allowing PHP to invoke toString on a Stringable object used as a mapping key without calling SandboxExtension::ensureToStringAllowed. This issue is fixed in versi...

7.1CVSS6.1AI score0.00238EPSS
Exploits0References5
CVE
CVE
added 3 days ago31 views

CVE-2026-48808

Twig’s CVE-2026-48808 describes a sandbox bypass in the Column filter: prior to 3.27.0, the active sandbox state was passed but the current Source was not forwarded to SandboxExtension::checkPropertyAllowed(), allowing access to properties not permitted by the sandbox policy. This affects Twig te...

7.5CVSS6.1AI score0.0026EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 3 days ago41 views

CVE-2026-48808 Twig: Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface`

Twig is a template language for PHP. Prior to 3.27.0, the column filter passes the active sandbox state as a boolean but does not forward the current Source to SandboxExtension::checkPropertyAllowed, so SourcePolicyInterface decisions are lost and a template author can read public or magic...

6CVSS0.0026EPSS
Exploits0References3
OSV
OSV
added 3 days ago4 views

CVE-2026-48808 Twig: Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface`

Twig is a template language for PHP. Prior to 3.27.0, the column filter passes the active sandbox state as a boolean but does not forward the current Source to SandboxExtension::checkPropertyAllowed, so SourcePolicyInterface decisions are lost and a template author can read public or magic...

6CVSS6.1AI score0.0026EPSS
Exploits0References5
Cvelist
Cvelist
added 3 days ago40 views

CVE-2026-48805 Twig: Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php`

Twig is a template language for PHP. Prior to 3.27.0, deprecated internal wrappers in src/Resources/core.php do not forward the current sandbox state to CoreExtension::checkArrow, arraySome, and arrayEvery, allowing legacy calls such as twigarraysome, twigarrayevery, and twigcheckarrowinsandbox t...

5.3CVSS0.00276EPSS
Exploits0References3
OSV
OSV
added 3 days ago4 views

CVE-2026-48805 Twig: Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php`

Twig is a template language for PHP. Prior to 3.27.0, deprecated internal wrappers in src/Resources/core.php do not forward the current sandbox state to CoreExtension::checkArrow, arraySome, and arrayEvery, allowing legacy calls such as twigarraysome, twigarrayevery, and twigcheckarrowinsandbox t...

5.3CVSS6.1AI score0.00276EPSS
Exploits0References5
CVE
CVE
added 3 days ago20 views

CVE-2026-49981

Twig is a template language for PHP. CVE-2026-49981 affects Twig up to version 3.26.x, where the per-template filter, tag, and function allow-list verdict is computed when a Template instance is constructed and can be cached after sandbox state changes between renders. This can allow a later sand...

8.2CVSS6.1AI score0.00414EPSS
Exploits0References3Affected Software1
OSV
OSV
added 3 days ago4 views

CVE-2026-49981 Twig: Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders for a cached `Template`

Twig is a template language for PHP. Prior to 3.27.0, the per-template filter, tag, and function allow-list verdict is computed when a Template instance is constructed and can remain cached after sandbox state changes between renders, allowing a later sandboxed render to reuse a template that was...

6CVSS6.1AI score0.00414EPSS
Exploits0References5
OSV
OSV
added 3 days ago3 views

CVE-2026-46637 Twig: HTML-output filters in twig/* extras incorrectly declared `is_safe => ['all']`

Twig is a template language for PHP. Prior to 3.26.0, several filters in twig/markdown-extra and twig/cssinliner-extra are registered with issafe = all, causing Twig to treat plain text or HTML output as safe in HTML, JavaScript, CSS, URL, and other contexts where the output is not properly...

5.1CVSS6.1AI score0.00175EPSS
Exploits0References6
Rows per page
Query Builder