XSS in profiler HtmlDumper via unescaped template and profile names
May 20, 2026
#Twig
Arbitrary PHP code execution via `_self.()` macro-reference compilation
May 20, 2026
#Twig
Possible sandbox bypass when using a source policy
May 20, 2026
#Twig
Twig 3.25.0 ships with a new ``needs_is_sandboxed`` option that lets
filters, functions, and tests adapt their behavior when running inside a
sandbox, makes the compiled output of templates using ``{% embed %}``
deterministic across runs, and removes a long-standing limitation that
prevented overriding ``EscaperRuntime`` via a custom runtime loader.
May 17, 2026
#Twig
👍 2
🚀 1
Twig 3.24.0 has just been released with a major new feature for working with
HTML attributes, improved null-safe operator behavior, and variable renaming
in object destructuring.
March 18, 2026
#Twig
❤️ 11
👍 5
🚀 12
🎉 5
Twig 3.23: Introducing new operators and destructuring support
January 23, 2026
#Twig
❤️ 27
👍 7
🚀 6
🎉 7
Twig CVE-2025-24374: Missing output escaping for the null coalesce operator
January 29, 2025
#Twig
👍 1
Introducing the new Twig Playground
December 26, 2024
#Twig
❤️ 17
👍 7
🚀 7
🎉 4
Twig 3.15 introduces dynamic dot operator support, named arguments in macros, argument unpacking, and universal arrow function usage.
December 19, 2024
#Twig
❤️ 16
👍 3
🚀 4
🎉 4