Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.9
Twig Template Sandbox Bypass in Versions 2.16.x and 3.9.0 to 3.25.x
DEBIAN-CVE-2026-24425
Summary
Certain versions of Twig, a templating engine, allow attackers to bypass security restrictions and execute arbitrary code when rendering templates. This affects websites that use affected versions of Twig and allow attackers to render templates. To stay secure, update to a fixed version of Twig as soon as possible.
What to do
- Update debian php-twig to version 3.26.0-1.
- Update debian php-twig to version 3.27.0-0+deb13u1.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Debian:13 | debian | php-twig |
< 3.27.0-0+deb13u1 Fix: upgrade to 3.27.0-0+deb13u1
|
| Debian:14 | debian | php-twig |
< 3.26.0-1 Fix: upgrade to 3.26.0-1
|
Original title
Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary ...
Original description
Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary PHP callables to sort, filter, map, and reduce filters. Attackers can exploit the runtime check that fails to use the current template source to bypass sandbox restrictions and execute arbitrary code when the sandbox is enabled through a source policy rather than globally.
osv CVSS3.1
8.8
- https://security-tracker.debian.org/tracker/CVE-2026-24425 Vendor Advisory
Published: 20 May 2026 · Updated: 2 Jun 2026 · First seen: 28 May 2026