Description
Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary PHP callables to sort, filter, map, and reduce filters. Attackers can exploit the runtime check that fails to use the current template source to bypass sandbox restrictions and execute arbitrary code when the sandbox is enabled through a source policy rather than globally.
Published: 2026-05-20
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass that lets an attacker with the ability to render templates supply arbitrary PHP callables to the sort, filter, map, and reduce functions. The runtime check misuses the current template source, allowing sandbox restrictions to be circumvented when the sandbox is enabled via a SourcePolicyInterface rather than globally, resulting in arbitrary PHP code execution.

Affected Systems

The vulnerability affects the Twig PHP templating engine, specifically all releases from 2.16.x and 3.9.0 up to 3.25.x. Systems that run these versions and render templates with an enabled sandbox that relies on a SourcePolicyInterface are impacted.

Risk and Exploitability

The CVSS score of 8.7 classifies this as high severity. With the EPSS score unavailable and no listing in the CISA KEV catalog, the exploitation probability is uncertain but the high severity indicates a potentially costly attack. Likely attack vectors involve systems that accept user‑supplied templates or templates provided by untrusted sources, in contexts where a sandbox is configured with a SourcePolicyInterface. Successful exploitation would grant the attacker full remote code execution inside the web process.

Generated by OpenCVE AI on May 20, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Twig v3.26.0 or later to apply the vendor‑issued fix
  • If an upgrade cannot be performed immediately, disable the sandbox or remove the SourcePolicyInterface configuration so that sandbox checks cannot be bypassed
  • Audit template rendering code to ensure no untrusted user input can trigger the vulnerable sanitation path

Generated by OpenCVE AI on May 20, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Twigphp
Twigphp twig
Vendors & Products Twigphp
Twigphp twig

Wed, 20 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary PHP callables to sort, filter, map, and reduce filters. Attackers can exploit the runtime check that fails to use the current template source to bypass sandbox restrictions and execute arbitrary code when the sandbox is enabled through a source policy rather than globally.
Title Twig 2.16.x & 3.9.0-3.25.x Sandbox Bypass via SourcePolicyInterface
Weaknesses CWE-693
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Twigphp Twig
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-20T15:44:33.359Z

Reserved: 2026-01-22T20:23:19.801Z

Link: CVE-2026-24425

cve-icon Vulnrichment

Updated: 2026-05-20T15:43:59.873Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-20T14:16:38.917

Modified: 2026-05-20T14:25:57.283

Link: CVE-2026-24425

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T08:19:12Z

Weaknesses