pkg:Packagist/twig/twig

All known vulnerabilities

• HIGH8.8CVE-2022-23614php-twig - security update
  >= 2.0.0, < 2.14.11
• HIGH8.5CVE-2024-45411php-twig - security update
  >= 1.0.0, < 1.44.8
• HIGH8.1CVE-2015-7809twig - security update
  from 0, < 1.20.0
• HIGH7.5CVE-2022-39261Twig may load a template outside a configured directory when using the filesystem loader
  >= 1.0.0, < 1.44.7
• MEDIUM4.3CVE-2025-24374Twig security issue where escaping was missing when using null coalesce operator
  >= 3.16.0, < 3.19.0
• LOW3.7CVE-2019-9942twig - security update
  from 0, < 1.38.0
• LOW2.2CVE-2024-51755Twig has unguarded calls to `__isset()` and to array-accesses when the sandbox is enabled
  from 0, < 3.11.2
• LOW2.2CVE-2024-51754php-twig - security update
  from 0, < 3.11.2
• —CVE-2026-46640Twig: Arbitrary PHP code execution via `_self.(<string>)` macro-reference compilation
  >= 3.15.0, < 3.26.0
• —CVE-2026-46639Twig: Sandbox property and method bypass via object-destructuring assignment
  >= 3.24.0, < 3.26.0
• —CVE-2026-46638Twig: `{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomplete fix for CVE-2024-45411)
  from 0, < 3.26.0
• —CVE-2026-46635Twig: Sandbox property allowlist bypass via the `column` filter (array_column on objects)
  from 0, < 3.26.0
• —CVE-2026-46634Twig: `template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name
  >= 3.9.0, < 3.26.0
• —CVE-2026-46633Twig: PHP code injection via `{% use %}` template name
  from 0, < 3.26.0
• —CVE-2026-46628Twig: The `spaceless` filter implicitly marks its output as safe
  from 0, < 3.26.0