๐Ÿ” CVE Alert

CVE-2026-47732

UNKNOWN 0.0

Twig Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Twig is a template language for PHP. Prior to 3.26.0, several Twig language constructs trigger PHP string coercion on a Stringable operand without consulting SecurityPolicy::checkMethodAllowed(), allowing a sandboxed template author to invoke __toString() on objects reachable in the render context through conditional expressions, comparison operators, tests, template-loading tags, dynamic attribute names, spread arguments, the do tag, and the .. range operator. This issue is fixed in version 3.26.0.

CWE CWE-863
Vendor twigphp
Product twig
Published Jul 14, 2026
Last Updated Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for twigphp twig

Be the first to know when new unknown vulnerabilities affecting twigphp twig are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

twigphp / Twig
< 3.26.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/twigphp/Twig/security/advisories/GHSA-pr2w-4gpj-cpq4 github.com: https://github.com/twigphp/Twig/commit/447d0b2331e01b8fc6e08119ac984e1ef50caef9 github.com: https://github.com/twigphp/Twig/releases/tag/v3.26.0