๐Ÿ” CVE Alert

CVE-2026-49981

UNKNOWN 0.0

Twig: Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders for a cached `Template`

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Twig is a template language for PHP. Prior to 3.27.0, the per-template filter, tag, and function allow-list verdict is computed when a Template instance is constructed and can remain cached after sandbox state changes between renders, allowing a later sandboxed render to reuse a template that was originally checked with a different or empty policy. This issue is fixed in version 3.27.0.

CWE CWE-693 CWE-863
Vendor twigphp
Product twig
Published Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for twigphp twig

Be the first to know when new unknown vulnerabilities affecting twigphp twig are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

twigphp / Twig
< 3.27.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/twigphp/Twig/security/advisories/GHSA-529h-vh3j-85hq github.com: https://github.com/twigphp/Twig/commit/23eb6eb1267cb0d303b91eb5cff9b0c559c538a4 github.com: https://github.com/twigphp/Twig/releases/tag/v3.27.0