twig/twig Security Advisories for v1.23.1 (16)
-
Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface`
PKSA-fbvq-z33h-r2np CVE-2026-48808
Affected version: >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.27.0
Reported by:
FriendsOfPHP/security-advisories -
Sandbox `__toString()` policy bypass via `Traversable` in `join`/`replace` and `in`/`not in` operators
PKSA-xx6c-6d96-db2w CVE-2026-48807
Affected version: >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.27.0
Reported by:
FriendsOfPHP/security-advisories -
Sandbox `__toString()` policy bypass via dynamic mapping keys
PKSA-1tmc-rt7x-12w6 CVE-2026-48806
Affected version: >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.27.0
Reported by:
FriendsOfPHP/security-advisories -
Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php`
PKSA-g9zw-qxh8-pq8w CVE-2026-48805
Affected version: >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.27.0
Reported by:
FriendsOfPHP/security-advisories -
Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders
PKSA-yd6k-t2gh-1m43 CVE-2026-46636
Affected version: >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.27.0
Reported by:
FriendsOfPHP/security-advisories -
[CRITICAL] PHP code injection via `{% use %}` template name
PKSA-h8hf-ytnd-5t9q CVE-2026-46633 GHSA-7p85-w9px-jpjp
Affected version: >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0
Reported by:
GitHub, FriendsOfPHP/security-advisories -
Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points
PKSA-dpx1-78wg-1kqs CVE-2026-47732
Affected version: >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0
Reported by:
FriendsOfPHP/security-advisories -
[MEDIUM] `{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomplete fix for CVE-2024-45411)
PKSA-3mcc-k66d-pydb CVE-2026-46638 GHSA-7fxw-r6jv-74c8
Affected version: >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[LOW] Sandbox property allowlist bypass via the `column` filter (array_column on objects)
PKSA-n14z-jjjg-g8vd CVE-2026-46635 GHSA-vcc8-phrv-43wj
Affected version: >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[LOW] The `spaceless` filter implicitly marks its output as safe
PKSA-sjvz-tbbr-vwth CVE-2026-46628 GHSA-4j38-f5cw-54h7
Affected version: >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0
Reported by:
GitHub, FriendsOfPHP/security-advisories -
Sandbox does not protect against resource exhaustion
PKSA-kvv6-36cr-fkzb CVE-2026-46627
Affected version: >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0
Reported by:
FriendsOfPHP/security-advisories -
[LOW] Unguarded calls to __isset() and to array-accesses when the sandbox is enabled
PKSA-2wrf-1xmk-1pky CVE-2024-51755 GHSA-jjxq-ff2g-95vh
Affected version: >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.11.2|>=3.12.0,<3.14.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[LOW] Unguarded calls to __toString() when nesting an object into an array
PKSA-yhcn-xrg3-68b1 CVE-2024-51754 GHSA-6377-hfv9-hqf6
Affected version: >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.11.2|>=3.12.0,<3.14.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Possible sandbox bypass
PKSA-6319-ffpf-gx66 CVE-2024-45411 GHSA-6j75-5wfj-gh66
Affected version: >=1.0.0,<1.44.7|>=2.0.0,<2.16.0|>=3.0.0,<3.11.0|>=3.12.0,<3.14.0
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] Possibility to load a template outside a configured directory when using the filesystem loader
PKSA-n7sg-8f52-pqtf CVE-2022-39261 GHSA-52m2-vc4m-jj33
Affected version: >=1.0.0,<1.44.7|>=2.0.0,<2.15.3|>=3.0.0,<3.4.3
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[LOW] Sandbox Information Disclosure
PKSA-6cvh-gt46-wq7q CVE-2019-9942 GHSA-vxrc-68xx-x48g
Affected version: <1.38.0|>=2.0.0,<2.7.0
Reported by:
GitHub, FriendsOfPHP/security-advisories