Unbounded formatter memoisation in twig/intl-extra keyed on template-controlled arguments
May 20, 2026
#Security Advisories
#Twig
HTML-output filters in twig/* extras incorrectly declared `is_safe => ['all']`
May 20, 2026
#Security Advisories
#Twig
Sandbox does not protect against resource exhaustion
May 20, 2026
#Security Advisories
#Twig
`{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomplete fix for CVE-2024-45411)
May 20, 2026
#Security Advisories
#Twig
`template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name
May 20, 2026
#Security Advisories
#Twig
Sandbox property and method bypass via object-destructuring assignment
May 20, 2026
#Security Advisories
#Twig
XSS in profiler HtmlDumper via unescaped template and profile names
May 20, 2026
#Security Advisories
#Twig
Arbitrary PHP code execution via `_self.(
May 20, 2026
#Security Advisories
#Twig
Sandbox property allowlist bypass via the `column` filter (array_column on objects)
May 20, 2026
#Security Advisories
#Twig
Possible sandbox bypass when using a source policy
May 20, 2026
#Security Advisories
#Twig