Unrated severityOSV Advisory· Published Jul 16, 2026
Debian php-twig: Twig is a template language for PHP. Prior to 3.27.0, the per-template filter, t…
CVE-2026-49981
Description
Twig is a template language for PHP. Prior to 3.27.0, the per-template filter, tag, and function allow-list verdict is computed when a Template instance is constructed and can remain cached after sandbox state changes between renders, allowing a later sandboxed render to reuse a template that was originally checked with a different or empty policy. This issue is fixed in version 3.27.0.
Affected products
3- Range: <3.27.0
Patches
Vulnerability mechanics
News mentions
0No linked articles in our index yet.