pkg:Debian/php-twig
29 total CVEsHIGH8MEDIUM1LOW3
✅ Check your installed version
All known vulnerabilities
- HIGH8.8CVE-2026-24425Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attacke…from 0
- from 0, < 2.14.3-1+deb11u1
- from 0, < 2.14.3-1+deb11u1
- from 0, < 3.5.1-1+deb12u1
- from 0, < 2.14.3-1+deb11u3
- from 0, < 2.14.3-1+deb11u3
- HIGH7.5CVE-2022-39261Twig may load a template outside a configured directory when using the filesystem loaderfrom 0, < 2.14.3-1+deb11u2
- HIGH7.5CVE-2022-39261Twig may load a template outside a configured directory when using the filesystem loaderfrom 0, < 2.14.3-1+deb11u2
- MEDIUM4.3CVE-2025-24374Twig security issue where escaping was missing when using null coalesce operatorfrom 0
- LOW2.2CVE-2024-51755Twig has unguarded calls to `__isset()` and to array-accesses when the sandbox is enabledfrom 0
- from 0, < 2.14.3-1+deb11u4
- from 0, < 2.14.3-1+deb11u4
- from 0
- from 0
- from 0
- from 0
- from 0
- from 0
- —CVE-2026-46640Twig: Arbitrary PHP code execution via `_self.(<string>)` macro-reference compilationfrom 0
- from 0, < 3.26.0-1
- —CVE-2026-46638Twig: `{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomplete fix for CVE-2024-45411)from 0
- from 0
- —CVE-2026-46635Twig: Sandbox property allowlist bypass via the `column` filter (array_column on objects)from 0
- —CVE-2026-46634Twig: `template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template namefrom 0
- from 0
- —CVE-2026-46629twig/intl-extra: Unbounded formatter memoisation in keyed on template-controlled argumentsfrom 0
- from 0
- from 0
- from 0