Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Debian DSA |
DSA-6311-1 | php-twig security update |
Github GHSA |
GHSA-p42q-9prx-q5wq | Twig: Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php` |
Thu, 16 Jul 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 15 Jul 2026 21:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Twigphp
Twigphp twig |
|
| Vendors & Products |
Twigphp
Twigphp twig |
Tue, 14 Jul 2026 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Twig is a template language for PHP. Prior to 3.27.0, deprecated internal wrappers in src/Resources/core.php do not forward the current sandbox state to CoreExtension::checkArrow(), arraySome(), and arrayEvery(), allowing legacy calls such as twig_array_some(), twig_array_every(), and twig_check_arrow_in_sandbox() to bypass sandbox callable restrictions. This issue is fixed in version 3.27.0. | |
| Title | Twig: Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php` | |
| Weaknesses | CWE-693 | |
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-16T15:09:20.665Z
Reserved: 2026-05-22T20:57:10.975Z
Link: CVE-2026-48805
Updated: 2026-07-16T15:09:17.294Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-16T01:45:04Z
Debian DSA
Github GHSA