Template Language Vulnerability in Twig by Twig, Inc.
CVE-2026-48808

6MEDIUM

Key Information:

Vendor

TwigPHP

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-48808?

The Twig template language for PHP has a vulnerability that allows a template author to bypass sandbox restrictions. Specifically, prior to version 3.27.0, the column filter incorrectly passes the active sandbox state as a boolean, failing to forward the current Source to the SandboxExtension's checkPropertyAllowed() method. This oversight can lead to a scenario where unauthorized access to public or magic properties occurs, compromising the integrity of the sandbox policy.

Affected Version(s)

Twig < 3.27.0

References

CVSS V4

Score:
6
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.