PatchSiren cyber security CVE debrief
CVE-2026-49981 twigphp CVE debrief
A security issue was found in Twig, a template language for PHP. The per-template filter, tag, and function allow-list verdict is computed when a Template instance is constructed and can remain cached after sandbox state changes between renders. This allows a later sandboxed render to reuse a template that was originally checked with a different or empty policy. The issue is fixed in version 3.27.0. Affected product deployments should be reviewed for potential exposure, and owners should be assigned for follow-up. The vulnerability has a CVSS score of 6, indicating medium severity.
- Vendor
- twigphp
- Product
- Twig
- CVSS
- MEDIUM 6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-14
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-14
- Advisory updated
- 2026-07-17
Who should care
Users of Twig template language for PHP, especially those using versions prior to 3.27.0, should be aware of this security issue and take necessary actions to protect their applications. Affected operator, platform, vulnerability-management, and security-team impact should be reviewed to ensure proper mitigation.
Technical summary
A security issue was found in Twig, a template language for PHP. The per-template filter, tag, and function allow-list verdict is computed when a Template instance is constructed and can remain cached after sandbox state changes between renders. This allows a later sandboxed render to reuse a template that was originally checked with a different or empty policy. The issue is fixed in version 3.27.0. The vulnerability has a CVSS score of 6, indicating medium severity. Affected product context suggests that users of Twig template language for PHP, especially those using versions prior to 3.27.0, should be aware of this security issue and take necessary actions to protect their applications.
Defensive priority
Medium priority due to the CVSS score of 6 and the potential for attackers to exploit this vulnerability in certain scenarios.
Recommended defensive actions
- Update Twig to version 3.27.0 or later
- Review and adjust template policies and sandbox configurations
- Monitor for any suspicious activity or exploitation attempts
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
Evidence notes
The CVE record and NVD detail provide information on the vulnerability and its fix. The vendor advisory and patch information are available on the Twig GitHub repository. Evidence limits suggest that further verification is needed to confirm affected scope and severity. Defenders should verify the official advisory and patch information to ensure proper mitigation.
Official resources
-
CVE-2026-49981 CVE record
CVE.org
-
CVE-2026-49981 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T22:17:13.070Z and has not been modified since then.