Home

Description

Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary PHP callables to sort, filter, map, and reduce filters. Attackers can exploit the runtime check that fails to use the current template source to bypass sandbox restrictions and execute arbitrary code when the sandbox is enabled through a source policy rather than globally.

PUBLISHED Reserved 2026-01-22 | Published 2026-05-20 | Updated 2026-05-20 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-693 Protection Mechanism Failure

Product status

Default status
affected

3.9.0 (semver) before 3.26.0
affected

2.16.* (custom)
affected

Credits

Nicolò Ribaudo finder

Fabien Potencier remediation developer

VulnCheck coordinator

References

github.com/...p/Twig/security/advisories/GHSA-2q52-x2ff-qgfr vendor-advisory

github.com/twigphp/Twig/releases/tag/v3.26.0 release-notes

www.vulncheck.com/...andbox-bypass-via-sourcepolicyinterface third-party-advisory

cve.org (CVE-2026-24425)

nvd.nist.gov (CVE-2026-24425)

Download JSON