VIR Vulnerability Intelligence Relay

Package impact

php Packagist / twig/twig

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Published Description Impact
CVE-2026-46633 critical 9.5 8d ago Twig: PHP code injection via `{% use %}` template name debianphp
CVE-2026-46628 low 2.5 8d ago Twig: The `spaceless` filter implicitly marks its output as safe debianphp
CVE-2026-46635 low 2.5 8d ago Twig: Sandbox property allowlist bypass via the `column` filter (array_column on objects) debianphp
CVE-2026-48808 unknown 19h ago Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface` debianphp
CVE-2026-46636 unknown 19h ago Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders debianphp
CVE-2026-48805 unknown 19h ago Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php` debianphp
CVE-2026-48806 unknown 19h ago Sandbox `__toString()` policy bypass via dynamic mapping keys debianphp
CVE-2026-48807 unknown 19h ago Sandbox `__toString()` policy bypass via `Traversable` in `join`/`replace` and `in`/`not in` operators debianphp
CVE-2026-46627 unknown 8d ago Sandbox does not protect against resource exhaustion debianphp
CVE-2026-47730 unknown 8d ago XSS in profiler HtmlDumper via unescaped template and profile names debianphp
CVE-2026-47732 unknown 8d ago Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points debianphp
CVE-2025-24374 unknown 1y ago Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0. debianphp
CVE-2024-51755 unknown 2y ago Twig is a template language for PHP. In a sandbox, an attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property polic… debianphp
CVE-2024-51754 unknown 2y ago Twig is a template language for PHP. In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of … debianphp
CVE-2024-45411 unknown 2y ago Twig is a template language for PHP. Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. This vulnerability i… debianphp
CVE-2022-39261 unknown 4y ago Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a us… debianphp
CVE-2022-23614 unknown 4y ago Twig is an open source template language for PHP. When in a sandbox mode, the `arrow` parameter of the `sort` filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In… debianphp