Package impact
COMPOSER / twig/twig
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-46634 | medium | — | 5.5 | 9d ago | Twig: `template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name | |||
| CVE-2026-46638 | medium | — | 5.5 | 9d ago | Twig: `{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomplete fix for CVE-2024-45411) | |||
| CVE-2026-46628 | low | — | 2.5 | 9d ago | Twig: The `spaceless` filter implicitly marks its output as safe | |||
| CVE-2026-46635 | low | — | 2.5 | 9d ago | Twig: Sandbox property allowlist bypass via the `column` filter (array_column on objects) |