Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
CVE-2026-24425: Twig Sandbox Bypass in Template Rendering
CVE-2026-24425
Summary
Twig templates, used in web applications, can be exploited by attackers to execute arbitrary code if a custom source policy is used. This can happen if an attacker can manipulate the template rendering process. To protect against this, ensure that any custom source policies are properly configured and validated.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions |
|---|---|---|
| symfony | twig |
>= 2.16.0, <= 2.16.1 >= 3.9.0, < 3.26.0 cpe:2.3:a:symfony:twig:*:*:*:*:*:*:*:* |
Original title
Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary ...
Original description
Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary PHP callables to sort, filter, map, and reduce filters. Attackers can exploit the runtime check that fails to use the current template source to bypass sandbox restrictions and execute arbitrary code when the sandbox is enabled through a source policy rather than globally.
nvd CVSS3.1
8.8
nvd CVSS4.0
8.7
Vulnerability type
CWE-693
Protection Mechanism Failure
Published: 20 May 2026 · Updated: 2 Jun 2026 · First seen: 20 May 2026