Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Vulnerabilities
| Vulnerability |
Severity |
CVSS |
Dependency |
Type |
Fixed in (twig/twig-v2.15.2 version) |
Remediation Possible** |
| CVE-2026-46633 |
High |
8.8 |
twig/twig-v2.15.2 |
Direct |
twig/twig - v3.26.0,https://github.com/twigphp/Twig.git - v3.26.0 |
❌ |
| CVE-2024-45411 |
High |
8.5 |
twig/twig-v2.15.2 |
Direct |
twig/twig-v1.44.8,v2.16.1,v3.14.0 |
❌ |
| CVE-2022-39261 |
High |
7.5 |
twig/twig-v2.15.2 |
Direct |
twig/twig - v3.4.3,twig/twig - v2.15.3,twig/twig - v1.44.7 |
❌ |
| CVE-2026-49981 |
High |
7.1 |
twig/twig-v2.15.2 |
Direct |
twig/twig - v3.27.0 |
❌ |
| CVE-2026-48807 |
High |
7.1 |
twig/twig-v2.15.2 |
Direct |
twig/twig - v3.27.0 |
❌ |
| CVE-2026-48806 |
High |
7.1 |
twig/twig-v2.15.2 |
Direct |
twig/twig - v3.27.0 |
❌ |
| CVE-2026-47732 |
High |
7.1 |
twig/twig-v2.15.2 |
Direct |
twig/twig - v3.26.0 |
❌ |
| CVE-2026-46638 |
High |
7.1 |
twig/twig-v2.15.2 |
Direct |
https://github.com/twigphp/Twig.git - v3.26.0,twig/twig - v3.26.0 |
❌ |
| CVE-2026-48808 |
Medium |
6.5 |
twig/twig-v2.15.2 |
Direct |
twig/twig - v3.27.0 |
❌ |
| CVE-2026-46627 |
Medium |
6.5 |
twig/twig-v2.15.2 |
Direct |
twig/twig - v3.26.0 |
❌ |
| CVE-2026-46628 |
Medium |
5.4 |
twig/twig-v2.15.2 |
Direct |
twig/twig - v3.26.0,https://github.com/twigphp/Twig.git - v3.26.0 |
❌ |
| CVE-2026-48805 |
Medium |
4.3 |
twig/twig-v2.15.2 |
Direct |
twig/twig - v3.27.0 |
❌ |
| CVE-2026-46635 |
Medium |
4.3 |
twig/twig-v2.15.2 |
Direct |
twig/twig - v3.26.0,https://github.com/twigphp/Twig.git - v3.26.0 |
❌ |
| CVE-2024-51755 |
Low |
2.2 |
twig/twig-v2.15.2 |
Direct |
twig/twig-3.11.2,3.14.1 |
❌ |
| CVE-2024-51754 |
Low |
2.2 |
twig/twig-v2.15.2 |
Direct |
twig/twig-3.11.2,3.14.1 |
❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-46633
Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Dependency Hierarchy:
- ❌ twig/twig-v2.15.2 (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Twig is a template language for PHP. Prior to 3.26.0, Compiler::string() does not escape single quotes when a template name from a {% use %} tag is placed inside a PHP single-quoted string literal, allowing a crafted template name to terminate the string and inject arbitrary PHP expressions into the compiled cache file. This issue is fixed in version 3.26.0.
Publish Date: 2026-07-14
URL: CVE-2026-46633
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-7p85-w9px-jpjp
Release Date: 2026-05-23
Fix Resolution: twig/twig - v3.26.0,https://github.com/twigphp/Twig.git - v3.26.0
Step up your Open Source Security Game with Mend here
CVE-2024-45411
Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Dependency Hierarchy:
- ❌ twig/twig-v2.15.2 (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Twig is a template language for PHP. Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. This vulnerability is fixed in 1.44.8, 2.16.1, and 3.14.0.
Publish Date: 2024-09-09
URL: CVE-2024-45411
CVSS 3 Score Details (8.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-6j75-5wfj-gh66
Release Date: 2024-09-09
Fix Resolution: twig/twig-v1.44.8,v2.16.1,v3.14.0
Step up your Open Source Security Game with Mend here
CVE-2022-39261
Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Dependency Hierarchy:
- ❌ twig/twig-v2.15.2 (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the "source" or "include" statement to read arbitrary files from outside the templates' directory when using a namespace like "@somewhere/../some.file". In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.
Publish Date: 2022-09-28
URL: CVE-2022-39261
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-52m2-vc4m-jj33
Release Date: 2022-09-28
Fix Resolution: twig/twig - v3.4.3,twig/twig - v2.15.3,twig/twig - v1.44.7
Step up your Open Source Security Game with Mend here
CVE-2026-49981
Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Dependency Hierarchy:
- ❌ twig/twig-v2.15.2 (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Twig is a template language for PHP. Prior to 3.27.0, the per-template filter, tag, and function allow-list verdict is computed when a Template instance is constructed and can remain cached after sandbox state changes between renders, allowing a later sandboxed render to reuse a template that was originally checked with a different or empty policy. This issue is fixed in version 3.27.0.
Publish Date: 2026-07-14
URL: CVE-2026-49981
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-529h-vh3j-85hq
Release Date: 2026-07-02
Fix Resolution: twig/twig - v3.27.0
Step up your Open Source Security Game with Mend here
CVE-2026-48807
Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Dependency Hierarchy:
- ❌ twig/twig-v2.15.2 (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Twig is a template language for PHP. Prior to 3.27.0, the sandbox __toString() checks do not fully cover Traversable values passed to join and replace filters or operands evaluated by the in and not in operators, allowing contained Stringable objects to be coerced to strings without consulting the sandbox policy. This issue is fixed in version 3.27.0.
Publish Date: 2026-07-14
URL: CVE-2026-48807
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-8x9c-rmqh-456c
Release Date: 2026-07-01
Fix Resolution: twig/twig - v3.27.0
Step up your Open Source Security Game with Mend here
CVE-2026-48806
Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Dependency Hierarchy:
- ❌ twig/twig-v2.15.2 (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Twig is a template language for PHP. Prior to 3.27.0, ArrayExpression does not guard dynamic mapping keys that are coerced to strings, allowing PHP to invoke __toString() on a Stringable object used as a mapping key without calling SandboxExtension::ensureToStringAllowed(). This issue is fixed in version 3.27.0.
Publish Date: 2026-07-14
URL: CVE-2026-48806
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-5v5v-ww74-355v
Release Date: 2026-07-01
Fix Resolution: twig/twig - v3.27.0
Step up your Open Source Security Game with Mend here
CVE-2026-47732
Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Dependency Hierarchy:
- ❌ twig/twig-v2.15.2 (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Twig is a template language for PHP. Prior to 3.26.0, several Twig language constructs trigger PHP string coercion on a Stringable operand without consulting SecurityPolicy::checkMethodAllowed(), allowing a sandboxed template author to invoke __toString() on objects reachable in the render context through conditional expressions, comparison operators, tests, template-loading tags, dynamic attribute names, spread arguments, the do tag, and the .. range operator. This issue is fixed in version 3.26.0.
Publish Date: 2026-07-14
URL: CVE-2026-47732
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-pr2w-4gpj-cpq4
Release Date: 2026-06-14
Fix Resolution: twig/twig - v3.26.0
Step up your Open Source Security Game with Mend here
CVE-2026-46638
Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Dependency Hierarchy:
- ❌ twig/twig-v2.15.2 (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Twig is a template language for PHP. Prior to 3.26.0, {% sandbox %}{% include %} can include a template that was previously loaded outside the sandbox without re-invoking checkSecurity(), allowing the cached template to use tags, filters, and functions that should have been denied by SecurityPolicy::checkSecurity(). This issue is fixed in version 3.26.0.
Publish Date: 2026-07-14
URL: CVE-2026-46638
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-23
Fix Resolution: https://github.com/twigphp/Twig.git - v3.26.0,twig/twig - v3.26.0
Step up your Open Source Security Game with Mend here
CVE-2026-48808
Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Dependency Hierarchy:
- ❌ twig/twig-v2.15.2 (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Twig is a template language for PHP. Prior to 3.27.0, the column filter passes the active sandbox state as a boolean but does not forward the current Source to SandboxExtension::checkPropertyAllowed(), so SourcePolicyInterface decisions are lost and a template author can read public or magic properties not allowed by the sandbox policy. This issue is fixed in version 3.27.0.
Publish Date: 2026-07-14
URL: CVE-2026-48808
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-h8vq-8gpg-mhcg
Release Date: 2026-07-01
Fix Resolution: twig/twig - v3.27.0
Step up your Open Source Security Game with Mend here
CVE-2026-46627
Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Dependency Hierarchy:
- ❌ twig/twig-v2.15.2 (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Twig is a template language for PHP. Prior to 3.26.0, the Twig sandbox does not prevent a template from consuming CPU, memory, or wall-clock time, even under the strictest allow-list, allowing untrusted templates to cause resource exhaustion. This issue is addressed in version 3.26.0 by documenting that the sandbox does not protect against resource exhaustion.
Publish Date: 2026-07-14
URL: CVE-2026-46627
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-923g-j88x-j34q
Release Date: 2026-07-14
Fix Resolution: twig/twig - v3.26.0
Step up your Open Source Security Game with Mend here
CVE-2026-46628
Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Dependency Hierarchy:
- ❌ twig/twig-v2.15.2 (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Twig is a template language for PHP. Prior to 3.26.0, the deprecated spaceless filter is registered as safe for HTML, causing Twig autoescaping to emit attacker-controlled markup unescaped when spaceless is applied to untrusted input. This issue is fixed in version 3.26.0.
Publish Date: 2026-07-14
URL: CVE-2026-46628
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-4j38-f5cw-54h7
Release Date: 2026-05-23
Fix Resolution: twig/twig - v3.26.0,https://github.com/twigphp/Twig.git - v3.26.0
Step up your Open Source Security Game with Mend here
CVE-2026-48805
Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Dependency Hierarchy:
- ❌ twig/twig-v2.15.2 (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Twig is a template language for PHP. Prior to 3.27.0, deprecated internal wrappers in src/Resources/core.php do not forward the current sandbox state to CoreExtension::checkArrow(), arraySome(), and arrayEvery(), allowing legacy calls such as twig_array_some(), twig_array_every(), and twig_check_arrow_in_sandbox() to bypass sandbox callable restrictions. This issue is fixed in version 3.27.0.
Publish Date: 2026-07-14
URL: CVE-2026-48805
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-p42q-9prx-q5wq
Release Date: 2026-07-01
Fix Resolution: twig/twig - v3.27.0
Step up your Open Source Security Game with Mend here
CVE-2026-46635
Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Dependency Hierarchy:
- ❌ twig/twig-v2.15.2 (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Twig is a template language for PHP. Prior to 3.26.0, the column filter passes object arrays to PHP array_column(), which reads public and magic properties without reaching CoreExtension::getAttribute() or SandboxExtension::checkPropertyAllowed(), allowing an untrusted template author with column in allowedFilters to read properties that are not in the sandbox allowlist. This issue is fixed in version 3.26.0.
Publish Date: 2026-07-14
URL: CVE-2026-46635
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-vcc8-phrv-43wj
Release Date: 2026-05-23
Fix Resolution: twig/twig - v3.26.0,https://github.com/twigphp/Twig.git - v3.26.0
Step up your Open Source Security Game with Mend here
CVE-2024-51755
Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Dependency Hierarchy:
- ❌ twig/twig-v2.15.2 (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Twig is a template language for PHP. In a sandbox, an attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property policy and the "__isset()" method is now called after the security check. This is a BC break. This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.
Publish Date: 2024-11-06
URL: CVE-2024-51755
CVSS 3 Score Details (2.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-51755
Release Date: 2024-11-06
Fix Resolution: twig/twig-3.11.2,3.14.1
Step up your Open Source Security Game with Mend here
CVE-2024-51754
Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Dependency Hierarchy:
- ❌ twig/twig-v2.15.2 (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Twig is a template language for PHP. In a sandbox, an attacker can call "__toString()" on an object even if the "__toString()" method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.
Publish Date: 2024-11-06
URL: CVE-2024-51754
CVSS 3 Score Details (2.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-6377-hfv9-hqf6
Release Date: 2024-11-06
Fix Resolution: twig/twig-3.11.2,3.14.1
Step up your Open Source Security Game with Mend here
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Twig is a template language for PHP. Prior to 3.26.0, Compiler::string() does not escape single quotes when a template name from a {% use %} tag is placed inside a PHP single-quoted string literal, allowing a crafted template name to terminate the string and inject arbitrary PHP expressions into the compiled cache file. This issue is fixed in version 3.26.0.
Publish Date: 2026-07-14
URL: CVE-2026-46633
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-7p85-w9px-jpjp
Release Date: 2026-05-23
Fix Resolution: twig/twig - v3.26.0,https://github.com/twigphp/Twig.git - v3.26.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Twig is a template language for PHP. Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. This vulnerability is fixed in 1.44.8, 2.16.1, and 3.14.0.
Publish Date: 2024-09-09
URL: CVE-2024-45411
CVSS 3 Score Details (8.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-6j75-5wfj-gh66
Release Date: 2024-09-09
Fix Resolution: twig/twig-v1.44.8,v2.16.1,v3.14.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the "source" or "include" statement to read arbitrary files from outside the templates' directory when using a namespace like "@somewhere/../some.file". In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.
Publish Date: 2022-09-28
URL: CVE-2022-39261
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-52m2-vc4m-jj33
Release Date: 2022-09-28
Fix Resolution: twig/twig - v3.4.3,twig/twig - v2.15.3,twig/twig - v1.44.7
Step up your Open Source Security Game with Mend here
Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Twig is a template language for PHP. Prior to 3.27.0, the per-template filter, tag, and function allow-list verdict is computed when a Template instance is constructed and can remain cached after sandbox state changes between renders, allowing a later sandboxed render to reuse a template that was originally checked with a different or empty policy. This issue is fixed in version 3.27.0.
Publish Date: 2026-07-14
URL: CVE-2026-49981
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-529h-vh3j-85hq
Release Date: 2026-07-02
Fix Resolution: twig/twig - v3.27.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Twig is a template language for PHP. Prior to 3.27.0, the sandbox __toString() checks do not fully cover Traversable values passed to join and replace filters or operands evaluated by the in and not in operators, allowing contained Stringable objects to be coerced to strings without consulting the sandbox policy. This issue is fixed in version 3.27.0.
Publish Date: 2026-07-14
URL: CVE-2026-48807
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-8x9c-rmqh-456c
Release Date: 2026-07-01
Fix Resolution: twig/twig - v3.27.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Twig is a template language for PHP. Prior to 3.27.0, ArrayExpression does not guard dynamic mapping keys that are coerced to strings, allowing PHP to invoke __toString() on a Stringable object used as a mapping key without calling SandboxExtension::ensureToStringAllowed(). This issue is fixed in version 3.27.0.
Publish Date: 2026-07-14
URL: CVE-2026-48806
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-5v5v-ww74-355v
Release Date: 2026-07-01
Fix Resolution: twig/twig - v3.27.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Twig is a template language for PHP. Prior to 3.26.0, several Twig language constructs trigger PHP string coercion on a Stringable operand without consulting SecurityPolicy::checkMethodAllowed(), allowing a sandboxed template author to invoke __toString() on objects reachable in the render context through conditional expressions, comparison operators, tests, template-loading tags, dynamic attribute names, spread arguments, the do tag, and the .. range operator. This issue is fixed in version 3.26.0.
Publish Date: 2026-07-14
URL: CVE-2026-47732
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-pr2w-4gpj-cpq4
Release Date: 2026-06-14
Fix Resolution: twig/twig - v3.26.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Twig is a template language for PHP. Prior to 3.26.0, {% sandbox %}{% include %} can include a template that was previously loaded outside the sandbox without re-invoking checkSecurity(), allowing the cached template to use tags, filters, and functions that should have been denied by SecurityPolicy::checkSecurity(). This issue is fixed in version 3.26.0.
Publish Date: 2026-07-14
URL: CVE-2026-46638
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-23
Fix Resolution: https://github.com/twigphp/Twig.git - v3.26.0,twig/twig - v3.26.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Twig is a template language for PHP. Prior to 3.27.0, the column filter passes the active sandbox state as a boolean but does not forward the current Source to SandboxExtension::checkPropertyAllowed(), so SourcePolicyInterface decisions are lost and a template author can read public or magic properties not allowed by the sandbox policy. This issue is fixed in version 3.27.0.
Publish Date: 2026-07-14
URL: CVE-2026-48808
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-h8vq-8gpg-mhcg
Release Date: 2026-07-01
Fix Resolution: twig/twig - v3.27.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Twig is a template language for PHP. Prior to 3.26.0, the Twig sandbox does not prevent a template from consuming CPU, memory, or wall-clock time, even under the strictest allow-list, allowing untrusted templates to cause resource exhaustion. This issue is addressed in version 3.26.0 by documenting that the sandbox does not protect against resource exhaustion.
Publish Date: 2026-07-14
URL: CVE-2026-46627
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-923g-j88x-j34q
Release Date: 2026-07-14
Fix Resolution: twig/twig - v3.26.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Twig is a template language for PHP. Prior to 3.26.0, the deprecated spaceless filter is registered as safe for HTML, causing Twig autoescaping to emit attacker-controlled markup unescaped when spaceless is applied to untrusted input. This issue is fixed in version 3.26.0.
Publish Date: 2026-07-14
URL: CVE-2026-46628
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-4j38-f5cw-54h7
Release Date: 2026-05-23
Fix Resolution: twig/twig - v3.26.0,https://github.com/twigphp/Twig.git - v3.26.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Twig is a template language for PHP. Prior to 3.27.0, deprecated internal wrappers in src/Resources/core.php do not forward the current sandbox state to CoreExtension::checkArrow(), arraySome(), and arrayEvery(), allowing legacy calls such as twig_array_some(), twig_array_every(), and twig_check_arrow_in_sandbox() to bypass sandbox callable restrictions. This issue is fixed in version 3.27.0.
Publish Date: 2026-07-14
URL: CVE-2026-48805
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-p42q-9prx-q5wq
Release Date: 2026-07-01
Fix Resolution: twig/twig - v3.27.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Twig is a template language for PHP. Prior to 3.26.0, the column filter passes object arrays to PHP array_column(), which reads public and magic properties without reaching CoreExtension::getAttribute() or SandboxExtension::checkPropertyAllowed(), allowing an untrusted template author with column in allowedFilters to read properties that are not in the sandbox allowlist. This issue is fixed in version 3.26.0.
Publish Date: 2026-07-14
URL: CVE-2026-46635
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-vcc8-phrv-43wj
Release Date: 2026-05-23
Fix Resolution: twig/twig - v3.26.0,https://github.com/twigphp/Twig.git - v3.26.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Twig is a template language for PHP. In a sandbox, an attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property policy and the "__isset()" method is now called after the security check. This is a BC break. This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.
Publish Date: 2024-11-06
URL: CVE-2024-51755
CVSS 3 Score Details (2.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-51755
Release Date: 2024-11-06
Fix Resolution: twig/twig-3.11.2,3.14.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Twig is a template language for PHP. In a sandbox, an attacker can call "__toString()" on an object even if the "__toString()" method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.
Publish Date: 2024-11-06
URL: CVE-2024-51754
CVSS 3 Score Details (2.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-6377-hfv9-hqf6
Release Date: 2024-11-06
Fix Resolution: twig/twig-3.11.2,3.14.1
Step up your Open Source Security Game with Mend here