Template Language Vulnerability in Twig Affects PHP Applications
CVE-2026-48807
7.1HIGH
What is CVE-2026-48807?
The Twig template engine for PHP has a vulnerability that allows Traversable values passed to certain filters to bypass the sandbox security checks. Specifically, contained Stringable objects can be coerced into strings without adhering to the sandbox policy. This behavior occurs in versions prior to 3.27.0, which has addressed the issue by ensuring all types passed into the relevant filters are properly validated against the sandbox policy. It is imperative for users of Twig to upgrade to version 3.27.0 to protect their applications from potential exploitation.
Affected Version(s)
Twig < 3.27.0
