PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49981 twigphp CVE debrief

A security issue was found in Twig, a template language for PHP. The per-template filter, tag, and function allow-list verdict is computed when a Template instance is constructed and can remain cached after sandbox state changes between renders. This allows a later sandboxed render to reuse a template that was originally checked with a different or empty policy. The issue is fixed in version 3.27.0. Affected product deployments should be reviewed for potential exposure, and owners should be assigned for follow-up. The vulnerability has a CVSS score of 6, indicating medium severity.

Vendor
twigphp
Product
Twig
CVSS
MEDIUM 6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-14
Original CVE updated
2026-07-17
Advisory published
2026-07-14
Advisory updated
2026-07-17

Who should care

Users of Twig template language for PHP, especially those using versions prior to 3.27.0, should be aware of this security issue and take necessary actions to protect their applications. Affected operator, platform, vulnerability-management, and security-team impact should be reviewed to ensure proper mitigation.

Technical summary

A security issue was found in Twig, a template language for PHP. The per-template filter, tag, and function allow-list verdict is computed when a Template instance is constructed and can remain cached after sandbox state changes between renders. This allows a later sandboxed render to reuse a template that was originally checked with a different or empty policy. The issue is fixed in version 3.27.0. The vulnerability has a CVSS score of 6, indicating medium severity. Affected product context suggests that users of Twig template language for PHP, especially those using versions prior to 3.27.0, should be aware of this security issue and take necessary actions to protect their applications.

Defensive priority

Medium priority due to the CVSS score of 6 and the potential for attackers to exploit this vulnerability in certain scenarios.

Recommended defensive actions

  • Update Twig to version 3.27.0 or later
  • Review and adjust template policies and sandbox configurations
  • Monitor for any suspicious activity or exploitation attempts
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review

Evidence notes

The CVE record and NVD detail provide information on the vulnerability and its fix. The vendor advisory and patch information are available on the Twig GitHub repository. Evidence limits suggest that further verification is needed to confirm affected scope and severity. Defenders should verify the official advisory and patch information to ensure proper mitigation.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T22:17:13.070Z and has not been modified since then.