« Twig » blog posts

Updates and new features of the Twig template language used in Symfony and PHP applications.

Twig 3.27.1 released

Twig 3.27.1 released
May 30, 2026 #Twig 👍 1

CVE-2026-46636 Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders

Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders for a cached `Template`
May 27, 2026 #Twig

CVE-2026-48807 Sandbox `__toString()` policy bypass via `Traversable` in `join`/`replace` and `in`/`not in` operators

Sandbox `__toString()` policy bypass via `Traversable` in `join`/`replace` filters and via the `in`/`not in` operators
May 27, 2026 #Twig

CVE-2026-48805 Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php`

Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php`
May 27, 2026 #Twig

CVE-2026-48806 Sandbox `__toString()` policy bypass via dynamic mapping keys

Sandbox `__toString()` policy bypass via dynamic mapping keys
May 27, 2026 #Twig

CVE-2026-48808 Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface`

Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface`
May 27, 2026 #Twig

Twig 3.27.0 released

Twig 3.27.0 released
May 27, 2026 #Twig 👍 1

CVE-2026-47732 Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points

Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points
May 20, 2026 #Twig

CVE-2026-46627 Sandbox does not protect against resource exhaustion

Sandbox does not protect against resource exhaustion
May 20, 2026 #Twig

CVE-2026-46628 The `spaceless` filter implicitly marks its output as safe

The `spaceless` filter implicitly marks its output as safe
May 20, 2026 #Twig