Skip to content
This repository was archived by the owner on May 29, 2026. It is now read-only.

fix(security): bump twig/twig to ^3.27.0 — patch 5 sandbox bypass CVEs#352

Merged
rubenvdlinde merged 1 commit into
developmentfrom
fix/twig-cve-3-27
May 28, 2026
Merged

fix(security): bump twig/twig to ^3.27.0 — patch 5 sandbox bypass CVEs#352
rubenvdlinde merged 1 commit into
developmentfrom
fix/twig-cve-3-27

Conversation

@rubenvdlinde

Copy link
Copy Markdown
Contributor

Summary

  • Bumps twig/twig from v3.26.0 to v3.27.0 to fix 5 sandbox-bypass CVEs disclosed 2026-05-27
  • Adds an explicit require-dev pin ("twig/twig": "^3.27.0") so the safe version floor is enforced going forward
  • composer audit now reports no security vulnerability advisories

CVEs fixed

CVE Title
CVE-2026-48805 Sandbox state regression in deprecated internal wrappers (src/Resources/core.php)
CVE-2026-48806 Sandbox __toString() policy bypass via dynamic mapping keys
CVE-2026-48807 Sandbox __toString() policy bypass via Traversable in join/replace and in/not in operators
CVE-2026-48808 Sandbox property allowlist bypass via the column filter under SourcePolicyInterface
CVE-2026-46636 Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders

Dependency type

twig/twig is a transitive dependency pulled in by edgedesign/phpqa. An explicit pin was added to require-dev to guarantee ^3.27.0.

Test plan

  • composer audit — clean (no advisories)
  • composer show twig/twigv3.27.0

Fixes CVE-2026-48805, CVE-2026-48806, CVE-2026-48807, CVE-2026-48808,
CVE-2026-46636 (all sandbox-bypass, disclosed 2026-05-27, affected <3.27.0).
twig/twig was a transitive dependency via edgedesign/phpqa; added explicit
^3.27.0 pin in require-dev to guarantee the safe version floor.
@rubenvdlinde rubenvdlinde merged commit f6be4f9 into development May 28, 2026
@rubenvdlinde rubenvdlinde deleted the fix/twig-cve-3-27 branch May 28, 2026 09:53
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant