HIGH8.8CVE-2026-24425Twig: Possible sandbox bypass when using a source policy >= 2.16.0, <= 2.16.1
>= 2.0.0, < 2.14.11
>= 1.0.0, < 1.44.8
HIGH8.1Twig remote code execution in templates
from 0, < 1.20.0
HIGH7.5Twig may load a template outside a configured directory when using the filesystem loader
>= 1.0.0, < 1.44.7
MEDIUM4.3Twig security issue where escaping was missing when using null coalesce operator
>= 3.16.0, < 3.19.0
LOW3.7Twig Sandbox Information Disclosure
from 0, < 1.38.0
LOW2.2Twig has unguarded calls to `__isset()` and to array-accesses when the sandbox is enabled
from 0, < 3.11.2
LOW2.2Twig has unguarded calls to `__toString()` when nesting an object into an array
from 0, < 3.11.2
—Twig: Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points
from 0, < 3.26.0
—Twig: Arbitrary PHP code execution via `_self.(<string>)` macro-reference compilation
>= 3.15.0, < 3.26.0
—Twig: Sandbox property and method bypass via object-destructuring assignment
>= 3.24.0, < 3.26.0
—Twig: `{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomplete fix for CVE-2024-45411)
from 0, < 3.26.0
—Twig: Sandbox property allowlist bypass via the `column` filter (array_column on objects)
from 0, < 3.26.0
—Twig: `template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name
>= 3.9.0, < 3.26.0
—Twig: PHP code injection via `{% use %}` template name
from 0, < 3.26.0
—Twig: The `spaceless` filter implicitly marks its output as safe
from 0, < 3.26.0
—Twig: XSS in profiler HtmlDumper via unescaped template and profile names
>= 3.0.0, < 3.26.0