SB2026060335 - Debian update for php-twig
Published: June 3, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) Improper access control (CVE-ID: CVE-2024-51754)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the sandbox when processing objects in an array or an argument list. A remote privileged user can place an object in an array or argument list to disclose sensitive information.
The issue occurs when __toString() is invoked even though that method is not allowed by the security policy.
2) Improper Encoding or Escaping of Output (CVE-ID: CVE-2026-46628)
CWE-ID: CWE-116 - Improper Encoding or Escaping of Output
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.
The vulnerability exists due to improper encoding or escaping of output in the `spaceless` filter when rendering attacker-controlled input in an HTML context. A remote attacker can supply crafted markup that is processed with the filter to execute arbitrary script in the victim's browser.
The issue occurs even when autoescaping is enabled and the developer does not explicitly use the `raw` filter.
3) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-46629)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to allocation of resources without limits or throttling in IntlExtension formatter memoization when processing template-controlled formatter arguments. A remote attacker can supply many distinct locale, pattern, or formatting argument values to cause a denial of service.
On long-running runtimes where the Twig environment persists across requests, the cache can accumulate across requests, and the allocated ICU backing buffers are not bounded by PHP memory_limit.
4) Improper Encoding or Escaping of Output (CVE-ID: CVE-2026-46637)
CWE-ID: CWE-116 - Improper Encoding or Escaping of Output
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform cross-site scripting.
The vulnerability exists due to improper encoding or escaping of output in html-output filters in twig/markdown-extra and twig/cssinliner-extra when rendering attacker-controlled content in non-html escaping contexts. A remote attacker can supply crafted input that is processed by affected filters to perform cross-site scripting.
The issue stems from filters being incorrectly declared with is_safe => ['all'], causing Twig autoescaping to treat output as safe across contexts such as html, javascript, css, and url.
5) Cross-site scripting (CVE-ID: CVE-2026-47730)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.
The vulnerability exists due to cross-site scripting in Twig\Profiler\Dumper\HtmlDumper when rendering profiler output containing attacker-controlled template or profile names. A remote attacker can supply crafted template or profile names to execute arbitrary script in the victim's browser.
This affects profiler and debug output and is not a sandbox escape.
6) Code Injection (CVE-ID: CVE-2026-46633)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to code injection in ModuleNode::compileConstructor() when compiling a template name from a {% use %} tag into a surrounding PHP single-quoted string literal. A remote attacker can supply a specially crafted template name containing a single quote to execute arbitrary code.
The injected PHP executes when the compiled cache file is first loaded, and the issue is reachable from sandboxed templates because SecurityPolicy unconditionally allows the {% use %} tag.
Remediation
Install update from vendor's website.