Sandbox `__toString()` policy bypass via `Traversable` in `join`/`replace` and `in`/`not in` operators

PKSA-xx6c-6d96-db2w CVE-2026-48807

Affected package: twig/twig

Affected version: >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.27.0

Reported by:
FriendsOfPHP/security-advisories