Template Language Vulnerability in Twig by Twig, Inc.
CVE-2026-48808
6MEDIUM
What is CVE-2026-48808?
The Twig template language for PHP has a vulnerability that allows a template author to bypass sandbox restrictions. Specifically, prior to version 3.27.0, the column filter incorrectly passes the active sandbox state as a boolean, failing to forward the current Source to the SandboxExtension's checkPropertyAllowed() method. This oversight can lead to a scenario where unauthorized access to public or magic properties occurs, compromising the integrity of the sandbox policy.
Affected Version(s)
Twig < 3.27.0
