These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T22:16:59.667Z and has not been modified since then. This vulnerability affects Twig template language for PHP, particularly versions prior to 3.26.0. The issue allows a sandboxed template author to invoke __toString() on objects reachable in the render context through various language constructs. [truncated]
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T22:16:59.530Z and has not been modified since then. This vulnerability affects Twig versions between 3.0.0 and 3.26.0, allowing attacker-controlled template or profile names to inject arbitrary HTML. The issue is fixed in version 3.26.0. Developers and administrators should review and apply the p [truncated]
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T22:16:56.840Z and has not been modified since then. This vulnerability affects Twig template language for PHP, specifically versions 3.15.0 to 3.25.0. The vulnerability allows an attacker to inject and execute arbitrary PHP code due to improper validation of dynamic attribute syntax in MacroRefer [truncated]
CVE-2026-46639 is a vulnerability in the Twig template language for PHP, specifically in the object-destructuring assignment feature. From version 3.24.0 until 3.26.0, the sandbox argument in CoreExtension::getAttribute() is hardcoded to false, which disables property and method policy checks. This allows an attacker with write access to a sandboxed Twig template to read public properties or invoke public [truncated]
A security bypass vulnerability exists in Twig template language for PHP, versions prior to 3.26.0. The {% sandbox %}{% include %} construct can include a template previously loaded outside the sandbox without re-invoking checkSecurity(), potentially allowing the cached template to use denied tags, filters, and functions. This issue is fixed in version 3.26.0. Users of Twig template language for PHP, part [truncated]
The CVE record for CVE-2026-46629 was published on 2026-07-14T22:16:55.860Z and has not been modified since then. The vulnerability affects Twig template language for PHP prior to version 3.26.0, allowing a template to allocate many ICU formatter objects that remain pinned for the lifetime of the Twig Environment. This issue is fixed in version 3.26.0. Users of affected systems should review and update th [truncated]
The CVE-2026-46628 record describes a security vulnerability in the Twig template language for PHP, specifically in the deprecated spaceless filter prior to version 3.26.0. This filter is registered as safe for HTML, causing Twig autoescaping to emit attacker-controlled markup unescaped when spaceless is applied to untrusted input. The vulnerability allows attackers to inject malicious HTML code. The issu [truncated]
CVE-2026-46627 is a high-severity vulnerability in the Twig template language for PHP. The vulnerability allows untrusted templates to cause resource exhaustion, consuming CPU, memory, or wall-clock time, even under the strictest allow-list. This issue was addressed in version 3.26.0 by documenting that the sandbox does not protect against resource exhaustion. Affected users should review and update their [truncated]