Package impact
Packagist / twig/twig
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2026-24425 | high | 8.8 | 8.8 | 8d ago | Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary PH… | |
| CVE-2026-46639 | high | — | 8.0 | 8d ago | Twig: Sandbox property and method bypass via object-destructuring assignment | |
| CVE-2026-46640 | high | — | 8.0 | 8d ago | Twig: Arbitrary PHP code execution via `_self.(<string>)` macro-reference compilation | |
| CVE-2026-46628 | low | — | 2.5 | 8d ago | Twig: The `spaceless` filter implicitly marks its output as safe | |
| CVE-2026-46635 | low | — | 2.5 | 8d ago | Twig: Sandbox property allowlist bypass via the `column` filter (array_column on objects) |