Skip to content
This repository was archived by the owner on May 29, 2026. It is now read-only.

fix(deps): bump twig/twig to 3.27.0 (5 sandbox CVEs)#286

Merged
rubenvdlinde merged 1 commit into
developmentfrom
fix/twig-cve-3-27
May 28, 2026
Merged

fix(deps): bump twig/twig to 3.27.0 (5 sandbox CVEs)#286
rubenvdlinde merged 1 commit into
developmentfrom
fix/twig-cve-3-27

Conversation

@rubenvdlinde

Copy link
Copy Markdown
Contributor

Security fix

Bumps the transitive dependency twig/twig from v3.26.0 to v3.27.0 to resolve 5 sandbox-escape CVEs published 2026-05-27.

CVE Title
CVE-2026-48808 Sandbox property allowlist bypass via column filter under SourcePolicyInterface
CVE-2026-48805 Sandbox state regression in deprecated internal wrappers in src/Resources/core.php
CVE-2026-46636 Sandbox filter/tag/function allowlist bypass when sandbox state changes between renders
CVE-2026-48806 Sandbox __toString() policy bypass via dynamic mapping keys
CVE-2026-48807 Sandbox __toString() policy bypass via Traversable in join/replace and in/not in operators

Changes

  • composer.lock only — twig is a transitive dependency pulled in by edgedesign/phpqa (~1.38|~2.7|>=3), no composer.json edit required.
  • Also bumps symfony/polyfill-mbstring and symfony/polyfill-php81 as they were resolved at the same time.
  • composer audit is now clean of all twig advisories.

Test plan

  • composer install --ignore-platform-reqs succeeds
  • composer audit reports no vulnerabilities
  • composer show twig/twig shows v3.27.0

CVE-2026-48808 — sandbox property allowlist bypass via column filter
CVE-2026-48805 — sandbox state regression in deprecated internal wrappers
CVE-2026-46636 — sandbox filter/tag/function allowlist bypass on re-render
CVE-2026-48806 — sandbox __toString() bypass via dynamic mapping keys
CVE-2026-48807 — sandbox __toString() bypass via Traversable in join/replace/in

twig/twig was a transitive dependency (via edgedesign/phpqa); updated
lock file from v3.26.0 to v3.27.0. No composer.json change required.
@rubenvdlinde rubenvdlinde merged commit d1a2c96 into development May 28, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant