PatchSiren

twigphp CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH twigphp CVE published 2026-07-14

CVE-2026-47732

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T22:16:59.667Z and has not been modified since then. This vulnerability affects Twig template language for PHP, particularly versions prior to 3.26.0. The issue allows a sandboxed template author to invoke __toString() on objects reachable in the render context through various language constructs. [truncated]

MEDIUM twigphp CVE published 2026-07-14

CVE-2026-47730

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T22:16:59.530Z and has not been modified since then. This vulnerability affects Twig versions between 3.0.0 and 3.26.0, allowing attacker-controlled template or profile names to inject arbitrary HTML. The issue is fixed in version 3.26.0. Developers and administrators should review and apply the p [truncated]

HIGH twigphp CVE published 2026-07-14

CVE-2026-46640

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T22:16:56.840Z and has not been modified since then. This vulnerability affects Twig template language for PHP, specifically versions 3.15.0 to 3.25.0. The vulnerability allows an attacker to inject and execute arbitrary PHP code due to improper validation of dynamic attribute syntax in MacroRefer [truncated]

HIGH twigphp CVE published 2026-07-14

CVE-2026-46639

CVE-2026-46639 is a vulnerability in the Twig template language for PHP, specifically in the object-destructuring assignment feature. From version 3.24.0 until 3.26.0, the sandbox argument in CoreExtension::getAttribute() is hardcoded to false, which disables property and method policy checks. This allows an attacker with write access to a sandboxed Twig template to read public properties or invoke public [truncated]

MEDIUM twigphp CVE published 2026-07-14

CVE-2026-46638

A security bypass vulnerability exists in Twig template language for PHP, versions prior to 3.26.0. The {% sandbox %}{% include %} construct can include a template previously loaded outside the sandbox without re-invoking checkSecurity(), potentially allowing the cached template to use denied tags, filters, and functions. This issue is fixed in version 3.26.0. Users of Twig template language for PHP, part [truncated]

MEDIUM twigphp CVE published 2026-07-14

CVE-2026-46629

The CVE record for CVE-2026-46629 was published on 2026-07-14T22:16:55.860Z and has not been modified since then. The vulnerability affects Twig template language for PHP prior to version 3.26.0, allowing a template to allocate many ICU formatter objects that remain pinned for the lifetime of the Twig Environment. This issue is fixed in version 3.26.0. Users of affected systems should review and update th [truncated]

MEDIUM twigphp CVE published 2026-07-14

CVE-2026-46628

The CVE-2026-46628 record describes a security vulnerability in the Twig template language for PHP, specifically in the deprecated spaceless filter prior to version 3.26.0. This filter is registered as safe for HTML, causing Twig autoescaping to emit attacker-controlled markup unescaped when spaceless is applied to untrusted input. The vulnerability allows attackers to inject malicious HTML code. The issu [truncated]

HIGH twigphp CVE published 2026-07-14

CVE-2026-46627

CVE-2026-46627 is a high-severity vulnerability in the Twig template language for PHP. The vulnerability allows untrusted templates to cause resource exhaustion, consuming CPU, memory, or wall-clock time, even under the strictest allow-list. This issue was addressed in version 3.26.0 by documenting that the sandbox does not protect against resource exhaustion. Affected users should review and update their [truncated]