Skip to content

twig/twig-v2.15.2: 15 vulnerabilities (highest severity is: 8.8) #3

Description

@mend-bolt-for-github
Vulnerable Library - twig/twig-v2.15.2

Twig, the flexible, fast, and secure template language for PHP

Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (twig/twig-v2.15.2 version) Remediation Possible**
CVE-2026-46633 High 8.8 twig/twig-v2.15.2 Direct twig/twig - v3.26.0,https://github.com/twigphp/Twig.git - v3.26.0
CVE-2024-45411 High 8.5 twig/twig-v2.15.2 Direct twig/twig-v1.44.8,v2.16.1,v3.14.0
CVE-2022-39261 High 7.5 twig/twig-v2.15.2 Direct twig/twig - v3.4.3,twig/twig - v2.15.3,twig/twig - v1.44.7
CVE-2026-49981 High 7.1 twig/twig-v2.15.2 Direct twig/twig - v3.27.0
CVE-2026-48807 High 7.1 twig/twig-v2.15.2 Direct twig/twig - v3.27.0
CVE-2026-48806 High 7.1 twig/twig-v2.15.2 Direct twig/twig - v3.27.0
CVE-2026-47732 High 7.1 twig/twig-v2.15.2 Direct twig/twig - v3.26.0
CVE-2026-46638 High 7.1 twig/twig-v2.15.2 Direct https://github.com/twigphp/Twig.git - v3.26.0,twig/twig - v3.26.0
CVE-2026-48808 Medium 6.5 twig/twig-v2.15.2 Direct twig/twig - v3.27.0
CVE-2026-46627 Medium 6.5 twig/twig-v2.15.2 Direct twig/twig - v3.26.0
CVE-2026-46628 Medium 5.4 twig/twig-v2.15.2 Direct twig/twig - v3.26.0,https://github.com/twigphp/Twig.git - v3.26.0
CVE-2026-48805 Medium 4.3 twig/twig-v2.15.2 Direct twig/twig - v3.27.0
CVE-2026-46635 Medium 4.3 twig/twig-v2.15.2 Direct twig/twig - v3.26.0,https://github.com/twigphp/Twig.git - v3.26.0
CVE-2024-51755 Low 2.2 twig/twig-v2.15.2 Direct twig/twig-3.11.2,3.14.1
CVE-2024-51754 Low 2.2 twig/twig-v2.15.2 Direct twig/twig-3.11.2,3.14.1

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2026-46633

Vulnerable Library - twig/twig-v2.15.2

Twig, the flexible, fast, and secure template language for PHP

Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52

Dependency Hierarchy:

  • twig/twig-v2.15.2 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Twig is a template language for PHP. Prior to 3.26.0, Compiler::string() does not escape single quotes when a template name from a {% use %} tag is placed inside a PHP single-quoted string literal, allowing a crafted template name to terminate the string and inject arbitrary PHP expressions into the compiled cache file. This issue is fixed in version 3.26.0.

Publish Date: 2026-07-14

URL: CVE-2026-46633

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-7p85-w9px-jpjp

Release Date: 2026-05-23

Fix Resolution: twig/twig - v3.26.0,https://github.com/twigphp/Twig.git - v3.26.0

Step up your Open Source Security Game with Mend here

CVE-2024-45411

Vulnerable Library - twig/twig-v2.15.2

Twig, the flexible, fast, and secure template language for PHP

Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52

Dependency Hierarchy:

  • twig/twig-v2.15.2 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Twig is a template language for PHP. Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. This vulnerability is fixed in 1.44.8, 2.16.1, and 3.14.0.

Publish Date: 2024-09-09

URL: CVE-2024-45411

CVSS 3 Score Details (8.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-6j75-5wfj-gh66

Release Date: 2024-09-09

Fix Resolution: twig/twig-v1.44.8,v2.16.1,v3.14.0

Step up your Open Source Security Game with Mend here

CVE-2022-39261

Vulnerable Library - twig/twig-v2.15.2

Twig, the flexible, fast, and secure template language for PHP

Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52

Dependency Hierarchy:

  • twig/twig-v2.15.2 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the "source" or "include" statement to read arbitrary files from outside the templates' directory when using a namespace like "@⁠somewhere/../some.file". In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.

Publish Date: 2022-09-28

URL: CVE-2022-39261

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-52m2-vc4m-jj33

Release Date: 2022-09-28

Fix Resolution: twig/twig - v3.4.3,twig/twig - v2.15.3,twig/twig - v1.44.7

Step up your Open Source Security Game with Mend here

CVE-2026-49981

Vulnerable Library - twig/twig-v2.15.2

Twig, the flexible, fast, and secure template language for PHP

Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52

Dependency Hierarchy:

  • twig/twig-v2.15.2 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Twig is a template language for PHP. Prior to 3.27.0, the per-template filter, tag, and function allow-list verdict is computed when a Template instance is constructed and can remain cached after sandbox state changes between renders, allowing a later sandboxed render to reuse a template that was originally checked with a different or empty policy. This issue is fixed in version 3.27.0.

Publish Date: 2026-07-14

URL: CVE-2026-49981

CVSS 3 Score Details (7.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-529h-vh3j-85hq

Release Date: 2026-07-02

Fix Resolution: twig/twig - v3.27.0

Step up your Open Source Security Game with Mend here

CVE-2026-48807

Vulnerable Library - twig/twig-v2.15.2

Twig, the flexible, fast, and secure template language for PHP

Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52

Dependency Hierarchy:

  • twig/twig-v2.15.2 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Twig is a template language for PHP. Prior to 3.27.0, the sandbox __toString() checks do not fully cover Traversable values passed to join and replace filters or operands evaluated by the in and not in operators, allowing contained Stringable objects to be coerced to strings without consulting the sandbox policy. This issue is fixed in version 3.27.0.

Publish Date: 2026-07-14

URL: CVE-2026-48807

CVSS 3 Score Details (7.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-8x9c-rmqh-456c

Release Date: 2026-07-01

Fix Resolution: twig/twig - v3.27.0

Step up your Open Source Security Game with Mend here

CVE-2026-48806

Vulnerable Library - twig/twig-v2.15.2

Twig, the flexible, fast, and secure template language for PHP

Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52

Dependency Hierarchy:

  • twig/twig-v2.15.2 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Twig is a template language for PHP. Prior to 3.27.0, ArrayExpression does not guard dynamic mapping keys that are coerced to strings, allowing PHP to invoke __toString() on a Stringable object used as a mapping key without calling SandboxExtension::ensureToStringAllowed(). This issue is fixed in version 3.27.0.

Publish Date: 2026-07-14

URL: CVE-2026-48806

CVSS 3 Score Details (7.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5v5v-ww74-355v

Release Date: 2026-07-01

Fix Resolution: twig/twig - v3.27.0

Step up your Open Source Security Game with Mend here

CVE-2026-47732

Vulnerable Library - twig/twig-v2.15.2

Twig, the flexible, fast, and secure template language for PHP

Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52

Dependency Hierarchy:

  • twig/twig-v2.15.2 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Twig is a template language for PHP. Prior to 3.26.0, several Twig language constructs trigger PHP string coercion on a Stringable operand without consulting SecurityPolicy::checkMethodAllowed(), allowing a sandboxed template author to invoke __toString() on objects reachable in the render context through conditional expressions, comparison operators, tests, template-loading tags, dynamic attribute names, spread arguments, the do tag, and the .. range operator. This issue is fixed in version 3.26.0.

Publish Date: 2026-07-14

URL: CVE-2026-47732

CVSS 3 Score Details (7.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-pr2w-4gpj-cpq4

Release Date: 2026-06-14

Fix Resolution: twig/twig - v3.26.0

Step up your Open Source Security Game with Mend here

CVE-2026-46638

Vulnerable Library - twig/twig-v2.15.2

Twig, the flexible, fast, and secure template language for PHP

Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52

Dependency Hierarchy:

  • twig/twig-v2.15.2 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Twig is a template language for PHP. Prior to 3.26.0, {% sandbox %}{% include %} can include a template that was previously loaded outside the sandbox without re-invoking checkSecurity(), allowing the cached template to use tags, filters, and functions that should have been denied by SecurityPolicy::checkSecurity(). This issue is fixed in version 3.26.0.

Publish Date: 2026-07-14

URL: CVE-2026-46638

CVSS 3 Score Details (7.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-05-23

Fix Resolution: https://github.com/twigphp/Twig.git - v3.26.0,twig/twig - v3.26.0

Step up your Open Source Security Game with Mend here

CVE-2026-48808

Vulnerable Library - twig/twig-v2.15.2

Twig, the flexible, fast, and secure template language for PHP

Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52

Dependency Hierarchy:

  • twig/twig-v2.15.2 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Twig is a template language for PHP. Prior to 3.27.0, the column filter passes the active sandbox state as a boolean but does not forward the current Source to SandboxExtension::checkPropertyAllowed(), so SourcePolicyInterface decisions are lost and a template author can read public or magic properties not allowed by the sandbox policy. This issue is fixed in version 3.27.0.

Publish Date: 2026-07-14

URL: CVE-2026-48808

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-h8vq-8gpg-mhcg

Release Date: 2026-07-01

Fix Resolution: twig/twig - v3.27.0

Step up your Open Source Security Game with Mend here

CVE-2026-46627

Vulnerable Library - twig/twig-v2.15.2

Twig, the flexible, fast, and secure template language for PHP

Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52

Dependency Hierarchy:

  • twig/twig-v2.15.2 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Twig is a template language for PHP. Prior to 3.26.0, the Twig sandbox does not prevent a template from consuming CPU, memory, or wall-clock time, even under the strictest allow-list, allowing untrusted templates to cause resource exhaustion. This issue is addressed in version 3.26.0 by documenting that the sandbox does not protect against resource exhaustion.

Publish Date: 2026-07-14

URL: CVE-2026-46627

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-923g-j88x-j34q

Release Date: 2026-07-14

Fix Resolution: twig/twig - v3.26.0

Step up your Open Source Security Game with Mend here

CVE-2026-46628

Vulnerable Library - twig/twig-v2.15.2

Twig, the flexible, fast, and secure template language for PHP

Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52

Dependency Hierarchy:

  • twig/twig-v2.15.2 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Twig is a template language for PHP. Prior to 3.26.0, the deprecated spaceless filter is registered as safe for HTML, causing Twig autoescaping to emit attacker-controlled markup unescaped when spaceless is applied to untrusted input. This issue is fixed in version 3.26.0.

Publish Date: 2026-07-14

URL: CVE-2026-46628

CVSS 3 Score Details (5.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-4j38-f5cw-54h7

Release Date: 2026-05-23

Fix Resolution: twig/twig - v3.26.0,https://github.com/twigphp/Twig.git - v3.26.0

Step up your Open Source Security Game with Mend here

CVE-2026-48805

Vulnerable Library - twig/twig-v2.15.2

Twig, the flexible, fast, and secure template language for PHP

Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52

Dependency Hierarchy:

  • twig/twig-v2.15.2 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Twig is a template language for PHP. Prior to 3.27.0, deprecated internal wrappers in src/Resources/core.php do not forward the current sandbox state to CoreExtension::checkArrow(), arraySome(), and arrayEvery(), allowing legacy calls such as twig_array_some(), twig_array_every(), and twig_check_arrow_in_sandbox() to bypass sandbox callable restrictions. This issue is fixed in version 3.27.0.

Publish Date: 2026-07-14

URL: CVE-2026-48805

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-p42q-9prx-q5wq

Release Date: 2026-07-01

Fix Resolution: twig/twig - v3.27.0

Step up your Open Source Security Game with Mend here

CVE-2026-46635

Vulnerable Library - twig/twig-v2.15.2

Twig, the flexible, fast, and secure template language for PHP

Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52

Dependency Hierarchy:

  • twig/twig-v2.15.2 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Twig is a template language for PHP. Prior to 3.26.0, the column filter passes object arrays to PHP array_column(), which reads public and magic properties without reaching CoreExtension::getAttribute() or SandboxExtension::checkPropertyAllowed(), allowing an untrusted template author with column in allowedFilters to read properties that are not in the sandbox allowlist. This issue is fixed in version 3.26.0.

Publish Date: 2026-07-14

URL: CVE-2026-46635

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-vcc8-phrv-43wj

Release Date: 2026-05-23

Fix Resolution: twig/twig - v3.26.0,https://github.com/twigphp/Twig.git - v3.26.0

Step up your Open Source Security Game with Mend here

CVE-2024-51755

Vulnerable Library - twig/twig-v2.15.2

Twig, the flexible, fast, and secure template language for PHP

Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52

Dependency Hierarchy:

  • twig/twig-v2.15.2 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Twig is a template language for PHP. In a sandbox, an attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property policy and the "__isset()" method is now called after the security check. This is a BC break. This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.

Publish Date: 2024-11-06

URL: CVE-2024-51755

CVSS 3 Score Details (2.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-51755

Release Date: 2024-11-06

Fix Resolution: twig/twig-3.11.2,3.14.1

Step up your Open Source Security Game with Mend here

CVE-2024-51754

Vulnerable Library - twig/twig-v2.15.2

Twig, the flexible, fast, and secure template language for PHP

Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52

Dependency Hierarchy:

  • twig/twig-v2.15.2 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Twig is a template language for PHP. In a sandbox, an attacker can call "__toString()" on an object even if the "__toString()" method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.

Publish Date: 2024-11-06

URL: CVE-2024-51754

CVSS 3 Score Details (2.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-6377-hfv9-hqf6

Release Date: 2024-11-06

Fix Resolution: twig/twig-3.11.2,3.14.1

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions