Search CVE reports


Toggle filters

11 – 20 of 27 results


CVE-2026-46637

Medium priority
Needs evaluation

Twig is a template language for PHP. Prior to 3.26.0, several filters in twig/markdown-extra and twig/cssinliner-extra are registered with is_safe => [all], causing Twig to treat plain text or HTML output as safe in...

1 affected package

php-twig

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
php-twig Needs evaluation Needs evaluation Needs evaluation Needs evaluation
Show less packages

CVE-2026-46635

Medium priority
Needs evaluation

Twig is a template language for PHP. Prior to 3.26.0, the column filter passes object arrays to PHP array_column(), which reads public and magic properties without reaching CoreExtension::getAttribute()...

1 affected package

php-twig

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
php-twig Needs evaluation Needs evaluation Needs evaluation Needs evaluation
Show less packages

CVE-2026-46634

Medium priority
Needs evaluation

Twig is a template language for PHP. From 3.9.0 until 3.26.0, template_from_string() compiles an inner template under a synthesized __string_template__<hash> name that can fall outside a SourcePolicyInterface sandbox decision,...

1 affected package

php-twig

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
php-twig Needs evaluation Needs evaluation Needs evaluation Needs evaluation
Show less packages

CVE-2026-46633

Medium priority
Needs evaluation

Twig is a template language for PHP. Prior to 3.26.0, Compiler::string() does not escape single quotes when a template name from a {% use %} tag is placed inside a PHP single-quoted string literal, allowing a crafted template name...

1 affected package

php-twig

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
php-twig Needs evaluation Needs evaluation Needs evaluation Needs evaluation
Show less packages

CVE-2026-46629

Medium priority
Needs evaluation

Twig is a template language for PHP. Prior to 3.26.0, twig/intl-extra memoises IntlDateFormatter and NumberFormatter instances in arrays keyed by template-controlled filter arguments such as locale, pattern, and attrs, allowing a...

1 affected package

php-twig

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
php-twig Needs evaluation Needs evaluation Needs evaluation Needs evaluation
Show less packages

CVE-2026-46628

Medium priority
Needs evaluation

Twig is a template language for PHP. Prior to 3.26.0, the deprecated spaceless filter is registered as safe for HTML, causing Twig autoescaping to emit attacker-controlled markup unescaped when spaceless is applied to untrusted...

1 affected package

php-twig

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
php-twig Needs evaluation Needs evaluation Needs evaluation Needs evaluation
Show less packages

CVE-2026-46627

Medium priority
Needs evaluation

Twig is a template language for PHP. Prior to 3.26.0, the Twig sandbox does not prevent a template from consuming CPU, memory, or wall-clock time, even under the strictest allow-list, allowing untrusted templates to cause resource...

1 affected package

php-twig

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
php-twig Needs evaluation Needs evaluation Needs evaluation Needs evaluation
Show less packages

CVE-2026-46636

Medium priority
Needs evaluation

[Unknown description]

1 affected package

php-twig

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
php-twig Needs evaluation Needs evaluation Needs evaluation Needs evaluation
Show less packages

CVE-2026-24425

Medium priority

Some fixes available 1 of 2

Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary PHP callables to sort, filter,...

1 affected package

php-twig

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
php-twig Fixed Not affected Not affected Not affected
Show less packages

CVE-2025-24374

Low priority
Needs evaluation

Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0.

2 affected packages

php-twig, twig

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
php-twig Not affected Not affected Not affected Not affected
twig Not in release Not in release Not in release Not in release Needs evaluation
Show less packages