Template Language Vulnerability in Twig by SensioLabs
CVE-2026-48805

5.3MEDIUM

Key Information:

Vendor

TwigPHP

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-48805?

Twig, a widely-used template language for PHP, contained a flaw prior to version 3.27.0 that allowed deprecated internal wrappers to not forward the current sandbox state. This oversight enabled certain legacy function calls, such as twig_array_some(), twig_array_every(), and twig_check_arrow_in_sandbox(), to bypass sandbox callable restrictions. Consequently, this could lead to potential security breaches if these functions were improperly utilized. The issue has been rectified in the latest release, version 3.27.0.

Affected Version(s)

Twig < 3.27.0

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.