PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48805 twigphp CVE debrief

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T22:17:04.773Z and has not been modified since then. Twig is a template language for PHP. Prior to 3.27.0, deprecated internal wrappers in src/Resources/core.php do not forward the current sandbox state to CoreExtension::checkArrow(), arraySome(), and arrayEvery(), allowing legacy calls such as twig_array_some(), twig_array_every(), and twig_check_arrow_in_sandbox() to bypass sandbox callable restrictions. This issue is fixed in version 3.27.0. Users should review their usage of Twig and ensure they are using the latest version to prevent potential exploitation.

Vendor
twigphp
Product
Twig
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-14
Original CVE updated
2026-07-17
Advisory published
2026-07-14
Advisory updated
2026-07-17

Who should care

Users of Twig template language for PHP, especially those using versions prior to 3.27.0, should be aware of this vulnerability and take necessary actions to upgrade or apply patches. This includes reviewing and updating PHP applications using Twig to ensure they are not vulnerable and monitoring for any suspicious activity related to Twig usage. Security teams and operators should also be aware of the potential impact of this vulnerability on their systems and take steps to mitigate it.

Technical summary

A vulnerability was found in Twig template language for PHP, specifically in the src/Resources/core.php file. Deprecated internal wrappers did not forward the current sandbox state to certain functions, allowing legacy calls to bypass sandbox callable restrictions. This issue was fixed in version 3.27.0. The vulnerability has a CVSS score of 5.3 and is classified as MEDIUM severity. Users of Twig template language for PHP, especially those using versions prior to 3.27.0, should be aware of this vulnerability and take necessary actions to upgrade or apply patches.

Defensive priority

Medium priority, as the vulnerability has a CVSS score of 5.3 and is classified as MEDIUM severity.

Recommended defensive actions

  • Upgrade to Twig version 3.27.0 or later
  • Review and update PHP applications using Twig to ensure they are not vulnerable
  • Monitor for any suspicious activity related to Twig usage
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.

Evidence notes

The CVE record and NVD detail provide information on the vulnerability, its impact, and the fixed version. However, further analysis and testing may be necessary to fully understand the vulnerability and its potential impact. The vulnerability is related to deprecated internal wrappers in src/Resources/core.php not forwarding the current sandbox state to certain functions. This allows legacy calls to bypass sandbox callable restrictions. The issue is fixed in version 3.27.0. Users should review their usage of Twig and ensure they are using the latest version to prevent potential exploitation.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T22:17:04.773Z and has not been modified since then.