Template Language Vulnerability in Twig Affects PHP Applications
CVE-2026-48807

7.1HIGH

Key Information:

Vendor

TwigPHP

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-48807?

The Twig template engine for PHP has a vulnerability that allows Traversable values passed to certain filters to bypass the sandbox security checks. Specifically, contained Stringable objects can be coerced into strings without adhering to the sandbox policy. This behavior occurs in versions prior to 3.27.0, which has addressed the issue by ensuring all types passed into the relevant filters are properly validated against the sandbox policy. It is imperative for users of Twig to upgrade to version 3.27.0 to protect their applications from potential exploitation.

Affected Version(s)

Twig < 3.27.0

References

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.