Skip to content
This repository was archived by the owner on May 29, 2026. It is now read-only.

fix(security): bump twig/twig to 3.27.0 — fix 5 sandbox-bypass CVEs#182

Merged
rubenvdlinde merged 1 commit into
developmentfrom
fix/twig-cve-3-27
May 28, 2026
Merged

fix(security): bump twig/twig to 3.27.0 — fix 5 sandbox-bypass CVEs#182
rubenvdlinde merged 1 commit into
developmentfrom
fix/twig-cve-3-27

Conversation

@rubenvdlinde

Copy link
Copy Markdown
Contributor

Summary

  • Bumps twig/twig from v3.26.0 to v3.27.0 (lock file only — no composer.json change needed)
  • twig/twig is transitive via edgedesign/phpqa (dev-only dependency, constraint >=3)
  • Resolves all 5 twig sandbox-bypass CVEs reported 2026-05-27:
    • CVE-2026-48805 — sandbox state regression in deprecated internal wrappers (src/Resources/core.php)
    • CVE-2026-48806 — sandbox __toString() policy bypass via dynamic mapping keys
    • CVE-2026-48807 — sandbox __toString() bypass via Traversable in join/replace and in/not in
    • CVE-2026-48808 — sandbox property allowlist bypass via column filter under SourcePolicyInterface
    • CVE-2026-46636 — sandbox filter/tag/function allowlist bypass when sandbox state changes between renders

Verification

composer audit after the update returns No security vulnerability advisories found.

Scope

Dev-only impact (phpqa is in require-dev). No production runtime change.

Resolves CVE-2026-48805, CVE-2026-48806, CVE-2026-48807, CVE-2026-48808,
and CVE-2026-46636 (all twig/twig sandbox bypass, 2026-05-27).
twig/twig was transitive via edgedesign/phpqa (dev-only, constraint >=3)
so the lock update alone is sufficient — no composer.json change needed.
@rubenvdlinde rubenvdlinde merged commit 0143c8f into development May 28, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant