Security: twigphp/Twig
Security Advisories
View information about security vulnerabilities from this repository's maintainers.
-
Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders for a cached `Template`GHSA-529h-vh3j-85hq published
May 27, 2026 by fabpotModerate -
Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php`GHSA-p42q-9prx-q5wq published
May 27, 2026 by fabpotLow -
Sandbox `__toString()` policy bypass via dynamic mapping keysGHSA-5v5v-ww74-355v published
May 27, 2026 by fabpotModerate -
Sandbox `__toString()` policy bypass via `Traversable` in `join`/`replace` filters and via the `in`/`not in` operatorsGHSA-8x9c-rmqh-456c published
May 27, 2026 by fabpotModerate -
Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface`GHSA-h8vq-8gpg-mhcg published
May 27, 2026 by fabpotModerate -
Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion pointsGHSA-pr2w-4gpj-cpq4 published
May 20, 2026 by nicolas-grekasHigh -
XSS in profiler HtmlDumper via unescaped template and profile namesGHSA-2g2g-8p8h-fgwm published
May 20, 2026 by nicolas-grekasLow -
Sandbox does not protect against resource exhaustionGHSA-923g-j88x-j34q published
May 20, 2026 by nicolas-grekasModerate -
HTML-output filters in twig/* extras incorrectly declared `is_safe => ['all']`GHSA-jv8m-2544-3pg3 published
May 20, 2026 by nicolas-grekasLow -
Unbounded formatter memoisation in twig/intl-extra keyed on template-controlled argumentsGHSA-35wc-cvqg-78fp published
May 20, 2026 by nicolas-grekasLow