PT-2026-42168 · Twig · Twig
Fabien Potencier
+2
·
Published
2026-05-20
·
Updated
2026-05-20
·
CVE-2026-24425
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Twig versions 2.16.x
Twig versions 3.9.0 through 3.25.x
Description
A sandbox bypass exists when using a
SourcePolicyInterface. This occurs because a runtime check fails to use the current template source, allowing attackers with template rendering capabilities to pass arbitrary PHP callables to the sort, filter, map, and reduce filters. This can lead to arbitrary code execution when the sandbox is enabled via a source policy instead of globally.Recommendations
Update Twig versions 2.16.x to a newer version containing the fix.
Update Twig versions 3.9.0 through 3.25.x to a newer version containing the fix.
Fix
Protection Mechanism Failure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Twig