๐Ÿ” CVE Alert

CVE-2026-48805

UNKNOWN 0.0

Twig: Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php`

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Twig is a template language for PHP. Prior to 3.27.0, deprecated internal wrappers in src/Resources/core.php do not forward the current sandbox state to CoreExtension::checkArrow(), arraySome(), and arrayEvery(), allowing legacy calls such as twig_array_some(), twig_array_every(), and twig_check_arrow_in_sandbox() to bypass sandbox callable restrictions. This issue is fixed in version 3.27.0.

CWE CWE-693
Vendor twigphp
Product twig
Published Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for twigphp twig

Be the first to know when new unknown vulnerabilities affecting twigphp twig are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

twigphp / Twig
< 3.27.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/twigphp/Twig/security/advisories/GHSA-p42q-9prx-q5wq github.com: https://github.com/twigphp/Twig/commit/e235cae3a1d1e23edc24df4d675f18108c6b167b github.com: https://github.com/twigphp/Twig/releases/tag/v3.27.0