PKSA-xx6c-6d96-db2w Security Advisory
-
[MEDIUM] Sandbox `__toString()` policy bypass via `Traversable` in `join`/`replace` and `in`/`not in` operators
PKSA-xx6c-6d96-db2w CVE-2026-48807 GHSA-8x9c-rmqh-456c
Affected package: twig/twig
Affected version: >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.27.0
Reported by:
GitHub, FriendsOfPHP/security-advisories