SB2026052091 - Multiple vulnerabilities in Twig

Description

This security bulletin contains information about 13 vulnerabilities.

1) Improper access control (CVE-ID: CVE-2026-47732)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to bypass sandbox policy restrictions and invoke unauthorized __toString() methods.

The vulnerability exists due to improper access control in SandboxNodeVisitor and related string coercion handling when rendering sandboxed templates that trigger implicit string coercion on Stringable objects. A remote user can craft a sandboxed template that uses unguarded language constructs to bypass sandbox policy restrictions and invoke unauthorized __toString() methods.

The issue affects multiple Twig constructs that coerce Stringable operands to strings without first consulting the sandbox policy, including comparisons, tests, conditional expressions, dynamic attribute names, template-loading expressions, spread arguments, the do tag, and the range operator.

2) Cross-site scripting (CVE-ID: CVE-2026-47730)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.

The vulnerability exists due to cross-site scripting in Twig\Profiler\Dumper\HtmlDumper when rendering profiler output containing attacker-controlled template or profile names. A remote attacker can supply crafted template or profile names to execute arbitrary script in the victim's browser.

This affects profiler and debug output and is not a sandbox escape.

3) Resource exhaustion (CVE-ID: CVE-2026-46627)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in the Twig sandbox when rendering untrusted templates. A remote attacker can submit a crafted template to cause a denial of service.

The issue occurs even under a strict sandbox allow-list.

4) Improper Encoding or Escaping of Output (CVE-ID: CVE-2026-46637)

CWE-ID: CWE-116 - Improper Encoding or Escaping of Output

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to perform cross-site scripting.

The vulnerability exists due to improper encoding or escaping of output in html-output filters in twig/markdown-extra and twig/cssinliner-extra when rendering attacker-controlled content in non-html escaping contexts. A remote attacker can supply crafted input that is processed by affected filters to perform cross-site scripting.

The issue stems from filters being incorrectly declared with is_safe => ['all'], causing Twig autoescaping to treat output as safe across contexts such as html, javascript, css, and url.

5) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-46629)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to allocation of resources without limits or throttling in IntlExtension formatter memoization when processing template-controlled formatter arguments. A remote attacker can supply many distinct locale, pattern, or formatting argument values to cause a denial of service.

On long-running runtimes where the Twig environment persists across requests, the cache can accumulate across requests, and the allocated ICU backing buffers are not bounded by PHP memory_limit.

6) Protection Mechanism Failure (CVE-ID: CVE-2026-46638)

CWE-ID: CWE-693 - Protection Mechanism Failure

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to bypass sandbox restrictions.

The vulnerability exists due to protection mechanism failure in the {% sandbox %}{% include %} template inclusion path when including a cached template in a sandboxed context. A remote user can author a template that is first loaded outside the sandbox and then included inside the sandbox to bypass sandbox restrictions.

The issue occurs when the included template was previously loaded in the same Environment instance outside the sandbox, preventing the sandbox security allowlist from being re-applied.

7) Protection Mechanism Failure (CVE-ID: CVE-2026-46634)

CWE-ID: CWE-693 - Protection Mechanism Failure

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to bypass sandbox restrictions and execute arbitrary code or disclose sensitive information.

The vulnerability exists due to protection mechanism failure in StringLoaderExtension::templateFromString() and Environment::createTemplate() when rendering an inner template from a sandboxed template under a SourcePolicyInterface-driven selective sandbox. A remote attacker can invoke template_from_string and include to render a synthesized inner template without security policy enforcement to bypass sandbox restrictions and execute arbitrary code or disclose sensitive information.

The issue occurs when the sandbox is enabled selectively via SourcePolicyInterface rather than globally, and the synthesized template name causes name-based policy checks to be skipped for the inner template.

8) Incorrect authorization (CVE-ID: CVE-2026-46635)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the `column` filter when processing arrays of objects in sandboxed templates. A remote user can use the filter to read public or magic properties of reachable objects to disclose sensitive information.

Exploitation requires an untrusted template author to have the `column` filter in their `allowedFilters` list.

9) Code Injection (CVE-ID: CVE-2026-46640)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper control of code generation in MacroReferenceExpression compilation when processing template source that uses `_self.()` or an import alias with a string literal dynamic attribute. A remote user can supply a specially crafted template to execute arbitrary code.

Code execution occurs at template-load time before `checkSecurity()` is called, resulting in a bypass of `SandboxExtension`.

10) Code Injection (CVE-ID: CVE-2026-46633)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to code injection in ModuleNode::compileConstructor() when compiling a template name from a {% use %} tag into a surrounding PHP single-quoted string literal. A remote attacker can supply a specially crafted template name containing a single quote to execute arbitrary code.

The injected PHP executes when the compiled cache file is first loaded, and the issue is reachable from sandboxed templates because SecurityPolicy unconditionally allows the {% use %} tag.

11) Protection Mechanism Failure (CVE-ID: CVE-2026-46639)

CWE-ID: CWE-693 - Protection Mechanism Failure

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to bypass sandbox property and method restrictions.

The vulnerability exists due to protection mechanism failure in ObjectDestructuringSetBinary::compile() when processing object-destructuring assignment expressions in sandboxed templates. A remote user can write a crafted sandboxed Twig template to bypass sandbox property and method restrictions.

Exploitation requires write access to a sandboxed template, and the issue affects property access and public getter invocation on objects passed to the template engine. The exploit also requires the {% do %} tag to be allowed.

12) Improper Encoding or Escaping of Output (CVE-ID: CVE-2026-46628)

CWE-ID: CWE-116 - Improper Encoding or Escaping of Output

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.

The vulnerability exists due to improper encoding or escaping of output in the `spaceless` filter when rendering attacker-controlled input in an HTML context. A remote attacker can supply crafted markup that is processed with the filter to execute arbitrary script in the victim's browser.

The issue occurs even when autoescaping is enabled and the developer does not explicitly use the `raw` filter.

13) Protection Mechanism Failure (CVE-ID: CVE-2026-24425)

CWE-ID: CWE-693 - Protection Mechanism Failure

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to protection mechanism failure in callback-accepting filters when processing user-controlled templates in sandbox mode enabled through a source policy. A remote user can supply a non-Closure callback to execute arbitrary code.

The issue affects the sort, filter, map, and reduce filters only when the sandbox is not enabled globally and a SourcePolicyInterface enables sandboxing for the rendered template.

Remediation

Install update from vendor's website.

References

• https://github.com/twigphp/Twig/security/advisories/GHSA-pr2w-4gpj-cpq4
• https://github.com/twigphp/Twig/security/advisories
• https://github.com/twigphp/Twig/security/advisories/GHSA-2g2g-8p8h-fgwm
• https://github.com/twigphp/Twig/security/advisories/GHSA-923g-j88x-j34q
• https://github.com/twigphp/Twig/security/advisories/GHSA-jv8m-2544-3pg3
• https://github.com/twigphp/Twig/security/advisories/GHSA-35wc-cvqg-78fp
• https://github.com/twigphp/Twig/security/advisories/GHSA-7fxw-r6jv-74c8
• https://github.com/twigphp/Twig/security/advisories/GHSA-24x9-r6q4-q93w
• https://github.com/twigphp/Twig/security/advisories/GHSA-5mv2-rx3q-4w2v
• https://github.com/twigphp/Twig/security/advisories/GHSA-vcc8-phrv-43wj
• https://github.com/twigphp/Twig/security/advisories/GHSA-45vw-wh46-2vx8
• https://github.com/twigphp/Twig/security/advisories/GHSA-7p85-w9px-jpjp
• https://github.com/twigphp/Twig/security/advisories/GHSA-mm6w-gr99-p3jj
• https://github.com/twigphp/Twig/security/advisories/GHSA-4j38-f5cw-54h7
• https://github.com/twigphp/Twig/security/advisories/GHSA-2q52-x2ff-qgfr