Skip to content
This repository was archived by the owner on May 29, 2026. It is now read-only.

fix(security): bump twig/twig to ^3.27.0 (CVE-2026-48805/06/07/08, CVE-2026-46636)#668

Merged
rubenvdlinde merged 1 commit into
developmentfrom
fix/twig-cve-3-27
May 28, 2026
Merged

fix(security): bump twig/twig to ^3.27.0 (CVE-2026-48805/06/07/08, CVE-2026-46636)#668
rubenvdlinde merged 1 commit into
developmentfrom
fix/twig-cve-3-27

Conversation

@rubenvdlinde

Copy link
Copy Markdown
Contributor

Summary

  • Bumps twig/twig from v3.26.0 to v3.27.0 to fix 5 sandbox-bypass CVEs disclosed 2026-05-27
  • Adds explicit "twig/twig": "^3.27.0" to require-dev (was purely transitive via edgedesign/phpqa)
  • composer audit is clean after the bump

CVEs fixed

CVE Title
CVE-2026-48805 Sandbox state regression in deprecated internal wrappers in src/Resources/core.php
CVE-2026-48806 Sandbox __toString() policy bypass via dynamic mapping keys
CVE-2026-48807 Sandbox __toString() policy bypass via Traversable in join/replace and in/not in operators
CVE-2026-48808 Sandbox property allowlist bypass via the column filter under SourcePolicyInterface
CVE-2026-46636 Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders

Dependency relationship

twig/twig is a transitive dependency pulled in by edgedesign/phpqa ~1.38|~2.7|>=3. An explicit floor constraint is added so future composer update runs cannot silently pull in a vulnerable version.

Test plan

  • composer audit returns "No security vulnerability advisories found."
  • twig/twig v3.27.0 installed (up from v3.26.0)
  • CI passes

…CVEs

Addresses CVE-2026-48805, CVE-2026-48806, CVE-2026-48807, CVE-2026-48808,
and CVE-2026-46636 (all twig/twig sandbox bypass vulnerabilities disclosed
2026-05-27). twig/twig was a transitive dependency via edgedesign/phpqa;
added an explicit ^3.27.0 constraint in require-dev to pin the minimum
safe version. Upgraded from v3.26.0 to v3.27.0. composer audit clean.
@rubenvdlinde rubenvdlinde merged commit 6a085e2 into development May 28, 2026
@rubenvdlinde rubenvdlinde deleted the fix/twig-cve-3-27 branch May 28, 2026 09:53
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant