Vulnerable Library - symfony/twig-bundle-v7.3.4
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (symfony/twig-bundle-v7.3.4 version) |
Remediation Possible** |
| CVE-2026-46638 |
 Critical |
9.9 |
twig/twig-v3.21.1 |
Transitive |
N/A* |
❌ |
| CVE-2026-46634 |
Critical |
9.9 |
twig/twig-v3.21.1 |
Transitive |
N/A* |
❌ |
| CVE-2026-46633 |
Critical |
9.8 |
twig/twig-v3.21.1 |
Transitive |
N/A* |
❌ |
| CVE-2026-46640 |
 High |
8.8 |
twig/twig-v3.21.1 |
Transitive |
N/A* |
❌ |
| CVE-2026-24425 |
High |
8.8 |
twig/twig-v3.21.1 |
Transitive |
N/A* |
❌ |
| CVE-2026-47732 |
High |
8.5 |
twig/twig-v3.21.1 |
Transitive |
N/A* |
❌ |
| CVE-2025-64500 |
High |
7.3 |
symfony/http-foundation-v7.3.4 |
Transitive |
N/A* |
❌ |
| CVE-2026-48736 |
High |
7.2 |
symfony/http-foundation-v7.3.4 |
Transitive |
N/A* |
❌ |
| CVE-2026-46628 |
 Medium |
6.1 |
twig/twig-v3.21.1 |
Transitive |
N/A* |
❌ |
| CVE-2026-47730 |
Medium |
5.4 |
twig/twig-v3.21.1 |
Transitive |
N/A* |
❌ |
| CVE-2026-46635 |
 Low |
2.7 |
twig/twig-v3.21.1 |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-46638
Vulnerable Library - twig/twig-v3.21.1
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/285123877d4dd97dd7c11842ac5fb7e86e60d81d
Dependency Hierarchy:
- symfony/twig-bundle-v7.3.4 (Root Library)
- ❌ twig/twig-v3.21.1 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Description The fix for CVE-2024-45411 / GHSA-6j75-5wfj-gh66 added an explicit "$loaded->unwrap()->checkSecurity()" call in "CoreExtension::include()" so that a template already cached in "Environment::$loadedTemplates" is re-checked when included with "sandboxed = true". The deprecated but still functional "{% sandbox %}{% include ... %}{% endsandbox %}" tag path was not updated: it compiles to "enableSandbox(); yield from $this->load(...)->unwrap()->yield(...); disableSandbox();" with no "checkSecurity()" re-invocation. If the included template was loaded once outside the sandbox in the same "Environment" instance, its constructor (and therefore its compiled "checkSecurity()" call) already ran while "isSandboxed()" was "false", so the tags/filters/functions allowlist enforced by "SecurityPolicy::checkSecurity()" is never applied. An attacker who can author the included template gains access to every filter, function and tag registered in the environment, regardless of the sandbox policy. Resolution The compiled output of "{% sandbox %}{% include %}" now calls "checkSecurity()" on the loaded template, matching the behaviour of "CoreExtension::include()" with "sandboxed = true". Credits Twig would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
Publish Date: 2026-06-01
URL: CVE-2026-46638
CVSS 3 Score Details (9.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-23
Fix Resolution: https://github.com/twigphp/Twig.git - v3.26.0,twig/twig - v3.26.0
CVE-2026-46634
Vulnerable Library - twig/twig-v3.21.1
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/285123877d4dd97dd7c11842ac5fb7e86e60d81d
Dependency Hierarchy:
- symfony/twig-bundle-v7.3.4 (Root Library)
- ❌ twig/twig-v3.21.1 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Description When the sandbox is enabled selectively via "SourcePolicyInterface" (and not globally), a sandboxed template that is allowed to call "template_from_string" and "include" can render an arbitrary inner template with no security policy enforcement. "Environment::createTemplate()" compiles the inner string under a synthesized name ("string_template"), so a name/path-based "SourcePolicy" returns "false" for it, and the inner template's "checkSecurity()" becomes a no-op. From a template the integrator believes is sandboxed, an attacker can use any tag/filter/function (including "constant()" to read secrets, or "|map("system")" to execute shell commands). Resolution This is a configuration trap rather than a code bug: there is no legitimate use case for exposing "template_from_string" to untrusted template authors, and propagating the parent sandbox state through "template_from_string" would require invasive changes to "SourcePolicyInterface" semantics with their own risks. Starting with Twig 3.26.0, the documentation and the PHPDoc of "StringLoaderExtension::templateFromString()" explicitly warn against allowing "template_from_string" in a sandboxed environment (i.e. listing it in a "SecurityPolicy" allowed-functions list). Integrators using a "SourcePolicyInterface" MUST NOT allow "template_from_string" in their allowed functions; the safest option is not to register "StringLoaderExtension" at all when a sandbox is in use. Credits Twig would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue.
Publish Date: 2026-06-01
URL: CVE-2026-46634
CVSS 3 Score Details (9.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-24x9-r6q4-q93w
Release Date: 2026-05-23
Fix Resolution: twig/twig - v3.26.0
CVE-2026-46633
Vulnerable Library - twig/twig-v3.21.1
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/285123877d4dd97dd7c11842ac5fb7e86e60d81d
Dependency Hierarchy:
- symfony/twig-bundle-v7.3.4 (Root Library)
- ❌ twig/twig-v3.21.1 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Description "Compiler::string()" escapes """, "$", "", NUL and TAB when generating PHP double-quoted string literals, but does not escape single quotes. In "ModuleNode::compileConstructor()", the template name from a "{% use %}" tag is compiled via "subcompile()" -> "string()" and placed inside a surrounding PHP single-quoted string literal. A template name containing a single quote terminates that surrounding string early, allowing arbitrary PHP expressions to be injected into the compiled cache file. The injected code executes within the PHP process when the cache file is first loaded, bypassing the Twig sandbox entirely and achieving remote code execution. "SecurityPolicy" unconditionally allows "{% use %}" regardless of the configured "allowedTags", so this primitive is reachable from sandboxed templates as well. Resolution "Compiler::string()" now also escapes single quotes so that template names placed inside single-quoted PHP literals can no longer break out of the surrounding context. Credits Twig would like to thank Anvil Secure in collaboration with Claude and Anthropic Research for reporting the issue and providing the fix.
Publish Date: 2026-06-01
URL: CVE-2026-46633
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-7p85-w9px-jpjp
Release Date: 2026-05-23
Fix Resolution: twig/twig - v3.26.0,https://github.com/twigphp/Twig.git - v3.26.0
CVE-2026-46640
Vulnerable Library - twig/twig-v3.21.1
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/285123877d4dd97dd7c11842ac5fb7e86e60d81d
Dependency Hierarchy:
- symfony/twig-bundle-v7.3.4 (Root Library)
- ❌ twig/twig-v3.21.1 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Description The "obj.(expr)" dynamic-attribute syntax (added in 3.15.0 as the replacement for the deprecated "attribute()" function) lets the attribute be an arbitrary expression. When the receiver is "_self" (or any "{% import %}" alias) and the parenthesised expression is a string literal, "DotExpressionParser" short-circuits to the macro-call path and concatenates the attacker-controlled string into a "MacroReferenceExpression" name with no identifier validation. "MacroReferenceExpression::compile()" then emits that name raw into the generated PHP source. An attacker who can supply template source can inject arbitrary PHP into the compiled template and execute it at template-load time, before "checkSecurity()" is ever called. This is a complete bypass of "SandboxExtension", including a globally-enabled sandbox with an empty "SecurityPolicy" allowlist. Resolution The parser now validates that the dynamic attribute resolves to a valid macro identifier before routing through "MacroReferenceExpression", and the macro-reference compiler emits the name through a properly escaped path. Credits Twig would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
Publish Date: 2026-06-05
URL: CVE-2026-46640
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-45vw-wh46-2vx8
Release Date: 2026-05-23
Fix Resolution: twig/twig - v3.26.0
CVE-2026-24425
Vulnerable Library - twig/twig-v3.21.1
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/285123877d4dd97dd7c11842ac5fb7e86e60d81d
Dependency Hierarchy:
- symfony/twig-bundle-v7.3.4 (Root Library)
- ❌ twig/twig-v3.21.1 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary PHP callables to sort, filter, map, and reduce filters. Attackers can exploit the runtime check that fails to use the current template source to bypass sandbox restrictions and execute arbitrary code when the sandbox is enabled through a source policy rather than globally.
Publish Date: 2026-05-20
URL: CVE-2026-24425
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-2q52-x2ff-qgfr
Release Date: 2026-05-20
Fix Resolution: twig/twig - v3.26.0,https://github.com/twigphp/Twig.git - v3.26.0
CVE-2026-47732
Vulnerable Library - twig/twig-v3.21.1
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/285123877d4dd97dd7c11842ac5fb7e86e60d81d
Dependency Hierarchy:
- symfony/twig-bundle-v7.3.4 (Root Library)
- ❌ twig/twig-v3.21.1 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Description "SandboxNodeVisitor" enforces "SecurityPolicy::checkMethodAllowed()" for implicit "__toString()" calls by wrapping selected AST nodes in "CheckToStringNode". The set of wrapped nodes is incomplete, and several Twig language constructs still trigger PHP string coercion on a "Stringable" operand without first consulting the policy. A sandboxed template author can therefore invoke "__toString()" on any object reachable in the render context, even when "__toString" on its class is not allowlisted. Confirmed bypass vectors: - Conditional expressions ("a ? b : c", "a ?: b", "a ?? b") used as the input of a string-coercing filter or as a filter/function argument. - The "matches" operator and the loose comparison operators ("==", "!=", "<", ">", "<=", ">=", "<=>"), which coerce a "Stringable" operand to string and can be used as an oracle to recover the value byte by byte (no tag, filter or function needs to be allowlisted). - Twig tests in general (which were never policy-gated), in particular "is empty" which casts a "Stringable" value via "(string) $value" in "CoreExtension::testEmpty()". - Null-coalesce expressions nested in concatenation, and the direct output of allowed functions or filters that return a "Stringable" object. - Arguments passed to allowed object methods, template-name expressions of template-loading tags ("include", "extends", "use", ...), dynamic attribute/property names, and spread arguments from "Traversable" objects. - The "do" tag and the ".." range operator. Resolution The sandbox now wraps every child node that the parent will string-coerce at runtime, instead of relying on a hardcoded list of node types in "SandboxNodeVisitor". A new "Twig\Node\CoercesChildrenToStringInterface" lets nodes declare which of their children must be guarded; core nodes (concatenation, comparison and range binaries, filter/function/test expressions, "do", "include", "extends", "use", ...) implement it. Spread arguments are materialised and policy-checked via the new "SandboxExtension::ensureSpreadAllowed()", and dynamic attribute names are checked at runtime inside "CoreExtension::getAttribute()". Credits Twig would like to thank Anthropic Glasswing and El Kharoubi Iosif for reporting the issues, and Fabien Potencier for providing the fixes.
Publish Date: 2026-06-14
URL: CVE-2026-47732
CVSS 3 Score Details (8.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-pr2w-4gpj-cpq4
Release Date: 2026-06-14
Fix Resolution: twig/twig - v3.26.0
CVE-2025-64500
Vulnerable Library - symfony/http-foundation-v7.3.4
Defines an object-oriented layer for the HTTP specification
Library home page: https://api.github.com/repos/symfony/http-foundation/zipball/c061c7c18918b1b64268771aad04b40be41dd2e6
Dependency Hierarchy:
- symfony/twig-bundle-v7.3.4 (Root Library)
- ❌ symfony/http-foundation-v7.3.4 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the "Request" class improperly interprets some "PATH_INFO" in a way that leads to representing some URLs with a path that doesn't start with a "/". This can allow bypassing some access control rules that are built with this "/"-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the "Request" class now ensures that URL paths always start with a "/".
Publish Date: 2025-11-12
URL: CVE-2025-64500
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-3rg7-wf37-54rm
Release Date: 2025-11-12
Fix Resolution: symfony/symfony - v7.3.7,symfony/http-foundation - v6.4.29,symfony/http-foundation - v7.3.7,symfony/symfony - v6.4.29
CVE-2026-48736
Vulnerable Library - symfony/http-foundation-v7.3.4
Defines an object-oriented layer for the HTTP specification
Library home page: https://api.github.com/repos/symfony/http-foundation/zipball/c061c7c18918b1b64268771aad04b40be41dd2e6
Dependency Hierarchy:
- symfony/twig-bundle-v7.3.4 (Root Library)
- ❌ symfony/http-foundation-v7.3.4 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Description "Symfony\Component\HttpClient\NoPrivateNetworkHttpClient" is documented as a decorator that blocks requests to private networks by default. The list of blocked subnets ("Symfony\Component\HttpFoundation\IpUtils::PRIVATE_SUBNETS" on 6.4+, a private constant in "NoPrivateNetworkHttpClient" on 5.4) enumerates RFC1918, loopback, link-local and IPv4-mapped IPv6 ("::ffff:0:0/96") prefixes, but omits the remaining IPv6 transition forms that can embed a private IPv4 destination: 6to4 ("2002::/16", RFC 3056), Teredo ("2001::/32", RFC 4380), NAT64 ("64:ff9b::/96", RFC 6052 and "64:ff9b:1::/48", RFC 8215) and IPv4-compatible IPv6 ("::/96", RFC 4291 §2.5.5.1). "IpUtils::checkIp6()" is a pure bitwise CIDR comparison against the constants list and never extracts the embedded IPv4, so an attacker who can supply a URL writes the loopback / RFC1918 IPv4 target as e.g. "http://[2002:7f00:1::]/" (6to4 → 127.0.0.1), "http://[64:ff9b::7f00:1]/" (NAT64 → 127.0.0.1), "http://[::7f00:1]/" (IPv4-compatible → 127.0.0.1) or "http://[2001::1]/" (Teredo). "IpUtils::isPrivateIp()" returns "false" and "NoPrivateNetworkHttpClient" dispatches the request. Real-world reachability of the embedded IPv4 depends on the deploy's IPv6 routing (6to4 tunnel interface, upstream NAT64 gateway, kernel handling of IPv4-compatible addresses), but the security boundary the decorator promises — the dispatch decision — is crossed regardless of whether the packet ultimately lands on the embedded IPv4. Resolution The private-subnet list now includes "::/96", "2002::/16", "2001::/32", "64:ff9b::/96" and "64:ff9b:1::/48". Blanket blocking of these prefixes matches the policy applied by Chromium and Mozilla's Private Network Access; server-side HTTPS APIs are not legitimately published on these prefixes. The patches for this issue are available "here" (symfony/symfony@8276536) for branch 5.4 and "here" (symfony/symfony@85b8315) for branch 6.4 (and forward-ported to 7.4, 8.0 and 8.1). Credits Symfony would like to thank tonghuaroot for reporting the issue and Nicolas Grekas for providing the fix.
Publish Date: 2026-06-15
URL: CVE-2026-48736
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-38cx-cq6f-5755
Release Date: 2026-06-15
Fix Resolution: symfony/http-client - v5.4.53,symfony/http-foundation - v6.4.41,symfony/http-foundation - v8.0.13,symfony/http-foundation - v7.4.13,https://github.com/symfony/symfony.git - v6.4.41,https://github.com/symfony/symfony.git - v5.4.53,https://github.com/symfony/symfony.git - v8.0.13,https://github.com/symfony/symfony.git - v7.4.13
CVE-2026-46628
Vulnerable Library - twig/twig-v3.21.1
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/285123877d4dd97dd7c11842ac5fb7e86e60d81d
Dependency Hierarchy:
- symfony/twig-bundle-v7.3.4 (Root Library)
- ❌ twig/twig-v3.21.1 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Description The "spaceless" filter is registered with "is_safe => ['html']", which means Twig's autoescaper does not escape its output in an HTML context. As a result, applying "spaceless" to attacker-controlled input that contains markup emits the markup unescaped even when the developer never wrote "|raw" and autoescape is enabled. Example: {% set payload = '<script>alert()</script>' %} {{ payload }} {# escaped #} {{ payload|spaceless }} {# not escaped #} The filter is deprecated but still functional. With the deprecation, some downstream projects (e.g. Drupal modules) have duplicated the filter and inherited the same "is_safe" flag. Resolution The "spaceless" filter no longer marks its output as safe. Documentation has been updated to warn that "spaceless" should not be applied to unsanitised user input. Credits Twig would like to thank Pierre Rudloff for reporting the issue.
Publish Date: 2026-06-01
URL: CVE-2026-46628
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-4j38-f5cw-54h7
Release Date: 2026-05-23
Fix Resolution: twig/twig - v3.26.0,https://github.com/twigphp/Twig.git - v3.26.0
CVE-2026-47730
Vulnerable Library - twig/twig-v3.21.1
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/285123877d4dd97dd7c11842ac5fb7e86e60d81d
Dependency Hierarchy:
- symfony/twig-bundle-v7.3.4 (Root Library)
- ❌ twig/twig-v3.21.1 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Description "Twig\Profiler\Dumper\HtmlDumper" writes "Profile::getTemplate()" and "Profile::getName()" straight into its HTML output without escaping: protected function formatTemplate(Profile $profile, $prefix): string { return \sprintf('%s└ %s', $prefix, self::$colors['template'], $profile->getTemplate()); } The template name comes from the loader (the array key for "ArrayLoader", a row id for a database-backed loader, etc.). When that name is attacker-controlled, the profiler dump emits arbitrary HTML, and any browser that renders it executes the injected markup. This is an output-encoding bug in profiler/debug tooling, not a sandbox escape. Resolution "HtmlDumper" now runs both "Profile::getTemplate()" and "Profile::getName()" through "htmlspecialchars()" before inserting them into the HTML output. Credits Twig would like to thank El Kharoubi Iosif for reporting the issue and Nicolas Grekas for fixing it.
Publish Date: 2026-06-14
URL: CVE-2026-47730
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-2g2g-8p8h-fgwm
Release Date: 2026-06-14
Fix Resolution: twig/twig - 3.26.0
CVE-2026-46635
Vulnerable Library - twig/twig-v3.21.1
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/285123877d4dd97dd7c11842ac5fb7e86e60d81d
Dependency Hierarchy:
- symfony/twig-bundle-v7.3.4 (Root Library)
- ❌ twig/twig-v3.21.1 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Description The "column" filter passes its input straight to PHP's native "array_column()". When the array elements are objects, "array_column()" reads "$obj->$name" (and "$obj->$index") directly, including invoking "__get"/"__isset". Because this property read happens entirely in PHP native code and never reaches "CoreExtension::getAttribute()", "SandboxExtension::checkPropertyAllowed()" is never consulted. An untrusted template author with "column" in their "allowedFilters" list can therefore read any public or magic property of any object reachable in the render context, regardless of the "SecurityPolicy" "allowedProperties" list. This is a variant of CVE-2024-51755 / GHSA-jjxq-ff2g-95vh that the "ArrayAccess"-focused fix did not cover. Resolution The "column" filter now routes object property reads through the sandbox-aware attribute accessor so the property allowlist is enforced. Credits Twig: would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
Publish Date: 2026-06-01
URL: CVE-2026-46635
CVSS 3 Score Details (2.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-vcc8-phrv-43wj
Release Date: 2026-05-23
Fix Resolution: twig/twig - v3.26.0,https://github.com/twigphp/Twig.git - v3.26.0
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - twig/twig-v3.21.1
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/285123877d4dd97dd7c11842ac5fb7e86e60d81d
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Description The fix for CVE-2024-45411 / GHSA-6j75-5wfj-gh66 added an explicit "$loaded->unwrap()->checkSecurity()" call in "CoreExtension::include()" so that a template already cached in "Environment::$loadedTemplates" is re-checked when included with "sandboxed = true". The deprecated but still functional "{% sandbox %}{% include ... %}{% endsandbox %}" tag path was not updated: it compiles to "enableSandbox(); yield from $this->load(...)->unwrap()->yield(...); disableSandbox();" with no "checkSecurity()" re-invocation. If the included template was loaded once outside the sandbox in the same "Environment" instance, its constructor (and therefore its compiled "checkSecurity()" call) already ran while "isSandboxed()" was "false", so the tags/filters/functions allowlist enforced by "SecurityPolicy::checkSecurity()" is never applied. An attacker who can author the included template gains access to every filter, function and tag registered in the environment, regardless of the sandbox policy. Resolution The compiled output of "{% sandbox %}{% include %}" now calls "checkSecurity()" on the loaded template, matching the behaviour of "CoreExtension::include()" with "sandboxed = true". Credits Twig would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
Publish Date: 2026-06-01
URL: CVE-2026-46638
CVSS 3 Score Details (9.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-23
Fix Resolution: https://github.com/twigphp/Twig.git - v3.26.0,twig/twig - v3.26.0
Vulnerable Library - twig/twig-v3.21.1
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/285123877d4dd97dd7c11842ac5fb7e86e60d81d
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Description When the sandbox is enabled selectively via "SourcePolicyInterface" (and not globally), a sandboxed template that is allowed to call "template_from_string" and "include" can render an arbitrary inner template with no security policy enforcement. "Environment::createTemplate()" compiles the inner string under a synthesized name ("string_template"), so a name/path-based "SourcePolicy" returns "false" for it, and the inner template's "checkSecurity()" becomes a no-op. From a template the integrator believes is sandboxed, an attacker can use any tag/filter/function (including "constant()" to read secrets, or "|map("system")" to execute shell commands). Resolution This is a configuration trap rather than a code bug: there is no legitimate use case for exposing "template_from_string" to untrusted template authors, and propagating the parent sandbox state through "template_from_string" would require invasive changes to "SourcePolicyInterface" semantics with their own risks. Starting with Twig 3.26.0, the documentation and the PHPDoc of "StringLoaderExtension::templateFromString()" explicitly warn against allowing "template_from_string" in a sandboxed environment (i.e. listing it in a "SecurityPolicy" allowed-functions list). Integrators using a "SourcePolicyInterface" MUST NOT allow "template_from_string" in their allowed functions; the safest option is not to register "StringLoaderExtension" at all when a sandbox is in use. Credits Twig would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue.
Publish Date: 2026-06-01
URL: CVE-2026-46634
CVSS 3 Score Details (9.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-24x9-r6q4-q93w
Release Date: 2026-05-23
Fix Resolution: twig/twig - v3.26.0
Vulnerable Library - twig/twig-v3.21.1
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/285123877d4dd97dd7c11842ac5fb7e86e60d81d
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Description "Compiler::string()" escapes """, "$", "", NUL and TAB when generating PHP double-quoted string literals, but does not escape single quotes. In "ModuleNode::compileConstructor()", the template name from a "{% use %}" tag is compiled via "subcompile()" -> "string()" and placed inside a surrounding PHP single-quoted string literal. A template name containing a single quote terminates that surrounding string early, allowing arbitrary PHP expressions to be injected into the compiled cache file. The injected code executes within the PHP process when the cache file is first loaded, bypassing the Twig sandbox entirely and achieving remote code execution. "SecurityPolicy" unconditionally allows "{% use %}" regardless of the configured "allowedTags", so this primitive is reachable from sandboxed templates as well. Resolution "Compiler::string()" now also escapes single quotes so that template names placed inside single-quoted PHP literals can no longer break out of the surrounding context. Credits Twig would like to thank Anvil Secure in collaboration with Claude and Anthropic Research for reporting the issue and providing the fix.
Publish Date: 2026-06-01
URL: CVE-2026-46633
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-7p85-w9px-jpjp
Release Date: 2026-05-23
Fix Resolution: twig/twig - v3.26.0,https://github.com/twigphp/Twig.git - v3.26.0
Vulnerable Library - twig/twig-v3.21.1
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/285123877d4dd97dd7c11842ac5fb7e86e60d81d
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Description The "obj.(expr)" dynamic-attribute syntax (added in 3.15.0 as the replacement for the deprecated "attribute()" function) lets the attribute be an arbitrary expression. When the receiver is "_self" (or any "{% import %}" alias) and the parenthesised expression is a string literal, "DotExpressionParser" short-circuits to the macro-call path and concatenates the attacker-controlled string into a "MacroReferenceExpression" name with no identifier validation. "MacroReferenceExpression::compile()" then emits that name raw into the generated PHP source. An attacker who can supply template source can inject arbitrary PHP into the compiled template and execute it at template-load time, before "checkSecurity()" is ever called. This is a complete bypass of "SandboxExtension", including a globally-enabled sandbox with an empty "SecurityPolicy" allowlist. Resolution The parser now validates that the dynamic attribute resolves to a valid macro identifier before routing through "MacroReferenceExpression", and the macro-reference compiler emits the name through a properly escaped path. Credits Twig would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
Publish Date: 2026-06-05
URL: CVE-2026-46640
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-45vw-wh46-2vx8
Release Date: 2026-05-23
Fix Resolution: twig/twig - v3.26.0
Vulnerable Library - twig/twig-v3.21.1
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/285123877d4dd97dd7c11842ac5fb7e86e60d81d
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary PHP callables to sort, filter, map, and reduce filters. Attackers can exploit the runtime check that fails to use the current template source to bypass sandbox restrictions and execute arbitrary code when the sandbox is enabled through a source policy rather than globally.
Publish Date: 2026-05-20
URL: CVE-2026-24425
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-2q52-x2ff-qgfr
Release Date: 2026-05-20
Fix Resolution: twig/twig - v3.26.0,https://github.com/twigphp/Twig.git - v3.26.0
Vulnerable Library - twig/twig-v3.21.1
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/285123877d4dd97dd7c11842ac5fb7e86e60d81d
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Description "SandboxNodeVisitor" enforces "SecurityPolicy::checkMethodAllowed()" for implicit "__toString()" calls by wrapping selected AST nodes in "CheckToStringNode". The set of wrapped nodes is incomplete, and several Twig language constructs still trigger PHP string coercion on a "Stringable" operand without first consulting the policy. A sandboxed template author can therefore invoke "__toString()" on any object reachable in the render context, even when "__toString" on its class is not allowlisted. Confirmed bypass vectors: - Conditional expressions ("a ? b : c", "a ?: b", "a ?? b") used as the input of a string-coercing filter or as a filter/function argument. - The "matches" operator and the loose comparison operators ("==", "!=", "<", ">", "<=", ">=", "<=>"), which coerce a "Stringable" operand to string and can be used as an oracle to recover the value byte by byte (no tag, filter or function needs to be allowlisted). - Twig tests in general (which were never policy-gated), in particular "is empty" which casts a "Stringable" value via "(string) $value" in "CoreExtension::testEmpty()". - Null-coalesce expressions nested in concatenation, and the direct output of allowed functions or filters that return a "Stringable" object. - Arguments passed to allowed object methods, template-name expressions of template-loading tags ("include", "extends", "use", ...), dynamic attribute/property names, and spread arguments from "Traversable" objects. - The "do" tag and the ".." range operator. Resolution The sandbox now wraps every child node that the parent will string-coerce at runtime, instead of relying on a hardcoded list of node types in "SandboxNodeVisitor". A new "Twig\Node\CoercesChildrenToStringInterface" lets nodes declare which of their children must be guarded; core nodes (concatenation, comparison and range binaries, filter/function/test expressions, "do", "include", "extends", "use", ...) implement it. Spread arguments are materialised and policy-checked via the new "SandboxExtension::ensureSpreadAllowed()", and dynamic attribute names are checked at runtime inside "CoreExtension::getAttribute()". Credits Twig would like to thank Anthropic Glasswing and El Kharoubi Iosif for reporting the issues, and Fabien Potencier for providing the fixes.
Publish Date: 2026-06-14
URL: CVE-2026-47732
CVSS 3 Score Details (8.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-pr2w-4gpj-cpq4
Release Date: 2026-06-14
Fix Resolution: twig/twig - v3.26.0
Vulnerable Library - symfony/http-foundation-v7.3.4
Defines an object-oriented layer for the HTTP specification
Library home page: https://api.github.com/repos/symfony/http-foundation/zipball/c061c7c18918b1b64268771aad04b40be41dd2e6
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the "Request" class improperly interprets some "PATH_INFO" in a way that leads to representing some URLs with a path that doesn't start with a "/". This can allow bypassing some access control rules that are built with this "/"-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the "Request" class now ensures that URL paths always start with a "/".
Publish Date: 2025-11-12
URL: CVE-2025-64500
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-3rg7-wf37-54rm
Release Date: 2025-11-12
Fix Resolution: symfony/symfony - v7.3.7,symfony/http-foundation - v6.4.29,symfony/http-foundation - v7.3.7,symfony/symfony - v6.4.29
Vulnerable Library - symfony/http-foundation-v7.3.4
Defines an object-oriented layer for the HTTP specification
Library home page: https://api.github.com/repos/symfony/http-foundation/zipball/c061c7c18918b1b64268771aad04b40be41dd2e6
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Description "Symfony\Component\HttpClient\NoPrivateNetworkHttpClient" is documented as a decorator that blocks requests to private networks by default. The list of blocked subnets ("Symfony\Component\HttpFoundation\IpUtils::PRIVATE_SUBNETS" on 6.4+, a private constant in "NoPrivateNetworkHttpClient" on 5.4) enumerates RFC1918, loopback, link-local and IPv4-mapped IPv6 ("::ffff:0:0/96") prefixes, but omits the remaining IPv6 transition forms that can embed a private IPv4 destination: 6to4 ("2002::/16", RFC 3056), Teredo ("2001::/32", RFC 4380), NAT64 ("64:ff9b::/96", RFC 6052 and "64:ff9b:1::/48", RFC 8215) and IPv4-compatible IPv6 ("::/96", RFC 4291 §2.5.5.1). "IpUtils::checkIp6()" is a pure bitwise CIDR comparison against the constants list and never extracts the embedded IPv4, so an attacker who can supply a URL writes the loopback / RFC1918 IPv4 target as e.g. "http://[2002:7f00:1::]/" (6to4 → 127.0.0.1), "http://[64:ff9b::7f00:1]/" (NAT64 → 127.0.0.1), "http://[::7f00:1]/" (IPv4-compatible → 127.0.0.1) or "http://[2001::1]/" (Teredo). "IpUtils::isPrivateIp()" returns "false" and "NoPrivateNetworkHttpClient" dispatches the request. Real-world reachability of the embedded IPv4 depends on the deploy's IPv6 routing (6to4 tunnel interface, upstream NAT64 gateway, kernel handling of IPv4-compatible addresses), but the security boundary the decorator promises — the dispatch decision — is crossed regardless of whether the packet ultimately lands on the embedded IPv4. Resolution The private-subnet list now includes "::/96", "2002::/16", "2001::/32", "64:ff9b::/96" and "64:ff9b:1::/48". Blanket blocking of these prefixes matches the policy applied by Chromium and Mozilla's Private Network Access; server-side HTTPS APIs are not legitimately published on these prefixes. The patches for this issue are available "here" (symfony/symfony@8276536) for branch 5.4 and "here" (symfony/symfony@85b8315) for branch 6.4 (and forward-ported to 7.4, 8.0 and 8.1). Credits Symfony would like to thank tonghuaroot for reporting the issue and Nicolas Grekas for providing the fix.
Publish Date: 2026-06-15
URL: CVE-2026-48736
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-38cx-cq6f-5755
Release Date: 2026-06-15
Fix Resolution: symfony/http-client - v5.4.53,symfony/http-foundation - v6.4.41,symfony/http-foundation - v8.0.13,symfony/http-foundation - v7.4.13,https://github.com/symfony/symfony.git - v6.4.41,https://github.com/symfony/symfony.git - v5.4.53,https://github.com/symfony/symfony.git - v8.0.13,https://github.com/symfony/symfony.git - v7.4.13
Vulnerable Library - twig/twig-v3.21.1
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/285123877d4dd97dd7c11842ac5fb7e86e60d81d
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Description The "spaceless" filter is registered with "is_safe => ['html']", which means Twig's autoescaper does not escape its output in an HTML context. As a result, applying "spaceless" to attacker-controlled input that contains markup emits the markup unescaped even when the developer never wrote "|raw" and autoescape is enabled. Example: {% set payload = '<script>alert()</script>' %} {{ payload }} {# escaped #} {{ payload|spaceless }} {# not escaped #} The filter is deprecated but still functional. With the deprecation, some downstream projects (e.g. Drupal modules) have duplicated the filter and inherited the same "is_safe" flag. Resolution The "spaceless" filter no longer marks its output as safe. Documentation has been updated to warn that "spaceless" should not be applied to unsanitised user input. Credits Twig would like to thank Pierre Rudloff for reporting the issue.
Publish Date: 2026-06-01
URL: CVE-2026-46628
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-4j38-f5cw-54h7
Release Date: 2026-05-23
Fix Resolution: twig/twig - v3.26.0,https://github.com/twigphp/Twig.git - v3.26.0
Vulnerable Library - twig/twig-v3.21.1
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/285123877d4dd97dd7c11842ac5fb7e86e60d81d
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Description "Twig\Profiler\Dumper\HtmlDumper" writes "Profile::getTemplate()" and "Profile::getName()" straight into its HTML output without escaping: protected function formatTemplate(Profile $profile, $prefix): string { return \sprintf('%s└ %s', $prefix, self::$colors['template'], $profile->getTemplate()); } The template name comes from the loader (the array key for "ArrayLoader", a row id for a database-backed loader, etc.). When that name is attacker-controlled, the profiler dump emits arbitrary HTML, and any browser that renders it executes the injected markup. This is an output-encoding bug in profiler/debug tooling, not a sandbox escape. Resolution "HtmlDumper" now runs both "Profile::getTemplate()" and "Profile::getName()" through "htmlspecialchars()" before inserting them into the HTML output. Credits Twig would like to thank El Kharoubi Iosif for reporting the issue and Nicolas Grekas for fixing it.
Publish Date: 2026-06-14
URL: CVE-2026-47730
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-2g2g-8p8h-fgwm
Release Date: 2026-06-14
Fix Resolution: twig/twig - 3.26.0
Vulnerable Library - twig/twig-v3.21.1
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/285123877d4dd97dd7c11842ac5fb7e86e60d81d
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Description The "column" filter passes its input straight to PHP's native "array_column()". When the array elements are objects, "array_column()" reads "$obj->$name" (and "$obj->$index") directly, including invoking "__get"/"__isset". Because this property read happens entirely in PHP native code and never reaches "CoreExtension::getAttribute()", "SandboxExtension::checkPropertyAllowed()" is never consulted. An untrusted template author with "column" in their "allowedFilters" list can therefore read any public or magic property of any object reachable in the render context, regardless of the "SecurityPolicy" "allowedProperties" list. This is a variant of CVE-2024-51755 / GHSA-jjxq-ff2g-95vh that the "ArrayAccess"-focused fix did not cover. Resolution The "column" filter now routes object property reads through the sandbox-aware attribute accessor so the property allowlist is enforced. Credits Twig: would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
Publish Date: 2026-06-01
URL: CVE-2026-46635
CVSS 3 Score Details (2.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-vcc8-phrv-43wj
Release Date: 2026-05-23
Fix Resolution: twig/twig - v3.26.0,https://github.com/twigphp/Twig.git - v3.26.0