Skip to content
This repository was archived by the owner on May 29, 2026. It is now read-only.

fix(security): bump twig/twig to v3.27.0 (5 sandbox-bypass CVEs)#340

Merged
rubenvdlinde merged 1 commit into
developmentfrom
fix/twig-cve-3-27
May 28, 2026
Merged

fix(security): bump twig/twig to v3.27.0 (5 sandbox-bypass CVEs)#340
rubenvdlinde merged 1 commit into
developmentfrom
fix/twig-cve-3-27

Conversation

@rubenvdlinde

Copy link
Copy Markdown
Contributor

Summary

Bumps twig/twig from v3.26.0 to v3.27.0 to resolve five sandbox-bypass CVEs published 2026-05-27.

CVE Title
CVE-2026-48805 Sandbox state regression in deprecated internal wrappers in src/Resources/core.php
CVE-2026-48806 Sandbox __toString() policy bypass via dynamic mapping keys
CVE-2026-48807 Sandbox __toString() policy bypass via Traversable in join/replace and in/not in operators
CVE-2026-48808 Sandbox property allowlist bypass via the column filter under SourcePolicyInterface
CVE-2026-46636 Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders

Details

  • twig/twig is a transitive dependency pulled in via edgedesign/phpqa (constraint ~1.38|~2.7|>=3).
  • No changes to composer.json were needed — the existing constraint already allows 3.27.x.
  • Only composer.lock is changed (3 package version bumps: twig/twig, symfony/polyfill-mbstring, symfony/polyfill-php81).
  • composer audit is clean after the update.

Test plan

  • composer audit reports no security advisories
  • composer show twig/twig confirms v3.27.0
  • Only composer.lock modified — no logic changes

…CVEs

Fixes CVE-2026-48805, CVE-2026-48806, CVE-2026-48807, CVE-2026-48808,
CVE-2026-46636 (all twig/twig sandbox bypass, reported 2026-05-27).

twig/twig was a transitive dependency via edgedesign/phpqa (constraint
~1.38|~2.7|>=3); bumped from v3.26.0 to v3.27.0 via `composer update
twig/twig --with-dependencies`. `composer audit` is now clean.
@rubenvdlinde rubenvdlinde merged commit 82c3d0f into development May 28, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant