twig/twig vulnerabilities

Browse known CVEs and advisories by package and ecosystem. Severity tells you the worst case. What determines real risk is whether the vulnerable code actually runs in your applications.

Get a demo

Browse by ecosystem

npmPyPIMavenGoRubyGemsCargoNuGetComposerpubSwiftGitHub Actions
CVE-IDSeverityPackage summary
CVE-2026-49981Hightwig/twig: Twig: Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders for a cached `Template`CVE-2026-48808Mediumtwig/twig: Twig: Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface`CVE-2026-48807Mediumtwig/twig: Twig: Sandbox `__toString()` policy bypass via `Traversable` in `join` and `replace` filtersCVE-2026-48806Mediumtwig/twig: Twig: Sandbox `__toString()` policy bypass via dynamic mapping keysCVE-2026-48805Lowtwig/twig: Twig: Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php`CVE-2026-47732Hightwig/twig: Twig: Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion pointsCVE-2026-47730Lowtwig/twig: Twig: XSS in profiler HtmlDumper via unescaped template and profile namesCVE-2026-24425Hightwig/twig: Twig: Possible sandbox bypass when using a source policyCVE-2026-46640Hightwig/twig: Twig: Arbitrary PHP code execution via `_self.(<string>)` macro-reference compilationCVE-2026-46639Hightwig/twig: Twig: Sandbox property and method bypass via object-destructuring assignmentCVE-2026-46638Mediumtwig/twig: Twig: `{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomplete fix for CVE-2024-45411)CVE-2026-46635Lowtwig/twig: Twig: Sandbox property allowlist bypass via the `column` filter (array_column on objects)CVE-2026-46634Mediumtwig/twig: Twig: `template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template nameCVE-2026-46633Criticaltwig/twig: Twig: PHP code injection via `{% use %}` template nameCVE-2026-46628Lowtwig/twig: Twig: The `spaceless` filter implicitly marks its output as safeCVE-2025-24374Mediumtwig/twig: Twig security issue where escaping was missing when using null coalesce operatorCVE-2024-51755Lowtwig/twig: Twig has unguarded calls to `__isset()` and to array-accesses when the sandbox is enabledCVE-2024-51754Lowtwig/twig: Twig has unguarded calls to `__toString()` when nesting an object into an arrayCVE-2024-45411Mediumtwig/twig: Twig has a possible sandbox bypassGHSA-7CVR-XHM5-X998Mediumtwig/twig: Twig Path Traversal vulnerability in the filesystem loaderCVE-2022-39261Hightwig/twig: Twig may load a template outside a configured directory when using the filesystem loaderCVE-2015-7809Hightwig/twig: Twig remote code execution in templatesCVE-2019-9942Lowtwig/twig: Twig Sandbox Information DisclosureCVE-2022-23614Hightwig/twig: Code injection in Twig

Stop the waste.
Protect your environment with Kodem.