CVE-2026-46633 critical —
9.5
8d ago
Twig: PHP code injection via `{% use %}` template name
debian php
CVE-2026-24425 high 8.8
8.8
8d ago
Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary PH…
debian php
CVE-2026-46639 high —
8.0
8d ago
Twig: Sandbox property and method bypass via object-destructuring assignment
debian php
CVE-2026-46640 high —
8.0
8d ago
Twig: Arbitrary PHP code execution via `_self.(<string>)` macro-reference compilation
debian php
CVE-2015-7809 medium —
6.8
11y ago
Twig remote code execution in templates
php
CVE-2026-46638 medium —
5.5
8d ago
Twig: `{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomplete fix for CVE-2024-45411)
debian php
CVE-2026-46634 medium —
5.5
8d ago
Twig: `template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name
debian php
CVE-2026-46635 low —
2.5
8d ago
Twig: Sandbox property allowlist bypass via the `column` filter (array_column on objects)
debian php
CVE-2026-46628 low —
2.5
8d ago
Twig: The `spaceless` filter implicitly marks its output as safe
debian php