GHSA-7fxw-r6jv-74c8

Source

https://github.com/advisories/GHSA-7fxw-r6jv-74c8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-7fxw-r6jv-74c8/GHSA-7fxw-r6jv-74c8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-7fxw-r6jv-74c8

Aliases

CVE-2026-46638

Related

CGA-643p-7fr4-26v8

Published

2026-05-21T21:28:28Z

Modified

2026-05-22T22:44:48.214102342Z

Severity

5.8 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H CVSS Calculator

Summary

Twig: `{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomplete fix for CVE-2024-45411)

Details

Description

The fix for CVE-2024-45411 / GHSA-6j75-5wfj-gh66 added an explicit $loaded->unwrap()->checkSecurity() call in CoreExtension::include() so that a template already cached in Environment::$loadedTemplates is re-checked when included with sandboxed = true.

The deprecated but still functional {% sandbox %}{% include ... %}{% endsandbox %} tag path was not updated: it compiles to enableSandbox(); yield from $this->load(...)->unwrap()->yield(...); disableSandbox(); with no checkSecurity() re-invocation. If the included template was loaded once outside the sandbox in the same Environment instance, its constructor (and therefore its compiled checkSecurity() call) already ran while isSandboxed() was false, so the tags/filters/functions allowlist enforced by SecurityPolicy::checkSecurity() is never applied.

An attacker who can author the included template gains access to every filter, function and tag registered in the environment, regardless of the sandbox policy.

Resolution

The compiled output of {% sandbox %}{% include %} now calls checkSecurity() on the loaded template, matching the behaviour of CoreExtension::include() with sandboxed = true.

Credits

Twig would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.

Database specific

{
    "cwe_ids": [
        "CWE-693"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-21T21:28:28Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
}

References

Affected packages

Packagist / twig/twig

Package

Name: twig/twig
Purl: pkg:composer/twig%2Ftwig

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.26.0

Affected versions

1.*

1.3.0

1.4.0

1.5.0

1.5.1

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

v1.*

v1.7.0

v1.8.0

v1.8.1

v1.8.2

v1.8.3

v1.9.0

v1.9.1

v1.9.2

v1.10.0

v1.10.1

v1.10.2

v1.10.3

v1.11.0

v1.11.1

v1.12.0-RC1

v1.12.0

v1.12.1

v1.12.2

v1.12.3

v1.13.0

v1.13.1

v1.13.2

v1.14.0

v1.14.1

v1.14.2

v1.15.0

v1.15.1

v1.16.0

v1.16.1

v1.16.2

v1.16.3

v1.17.0

v1.18.0

v1.18.1

v1.18.2

v1.19.0

v1.20.0

v1.21.0

v1.21.1

v1.21.2

v1.22.0

v1.22.1

v1.22.2

v1.22.3

v1.23.0

v1.23.1

v1.23.2

v1.23.3

v1.24.0

v1.24.1

v1.24.2

v1.25.0

v1.26.0

v1.26.1

v1.27.0

v1.28.0

v1.28.1

v1.28.2

v1.29.0

v1.30.0

v1.31.0

v1.32.0

v1.33.0

v1.33.1

v1.33.2

v1.34.0

v1.34.1

v1.34.2

v1.34.3

v1.34.4

v1.35.0

v1.35.1

v1.35.2

v1.35.3

v1.35.4

v1.36.0

v1.37.0

v1.37.1

v1.38.0

v1.38.1

v1.38.2

v1.38.3

v1.38.4

v1.39.0

v1.39.1

v1.40.0

v1.40.1

v1.41.0

v1.42.0

v1.42.1

v1.42.2

v1.42.3

v1.42.4

v1.42.5

v1.43.0

v1.43.1

v1.44.0

v1.44.1

v1.44.2

v1.44.3

v1.44.4

v1.44.5

v1.44.6

v1.44.7

v1.44.8

v2.*

v2.0.0

v2.1.0

v2.2.0

v2.3.0

v2.3.1

v2.3.2

v2.4.0

v2.4.1

v2.4.2

v2.4.3

v2.4.4

v2.4.5

v2.4.6

v2.4.7

v2.4.8

v2.5.0

v2.6.0

v2.6.1

v2.6.2

v2.7.0

v2.7.1

v2.7.2

v2.7.3

v2.7.4

v2.8.0

v2.8.1

v2.9.0

v2.10.0

v2.11.0

v2.11.1

v2.11.2

v2.11.3

v2.12.0

v2.12.1

v2.12.2

v2.12.3

v2.12.4

v2.12.5

v2.13.0

v2.13.1

v2.14.0

v2.14.1

v2.14.2

v2.14.3

v2.14.4

v2.14.5

v2.14.6

v2.14.7

v2.14.8

v2.14.9

v2.14.10

v2.14.11

v2.14.12

v2.14.13

v2.15.0

v2.15.1

v2.15.2

v2.15.3

v2.15.4

v2.15.5

v2.15.6

v2.16.0

v2.16.1

v3.*

v3.0.0-BETA1

v3.0.0

v3.0.1

v3.0.2

v3.0.3

v3.0.4

v3.0.5

v3.1.0

v3.1.1

v3.2.1

v3.3.0

v3.3.1

v3.3.2

v3.3.3

v3.3.4

v3.3.5

v3.3.6

v3.3.7

v3.3.8

v3.3.9

v3.3.10

v3.4.0

v3.4.1

v3.4.2

v3.4.3

v3.5.0

v3.5.1

v3.6.0

v3.6.1

v3.7.0

v3.7.1

v3.8.0

v3.9.0

v3.9.1

v3.9.2

v3.9.3

v3.10.0

v3.10.1

v3.10.2

v3.10.3

v3.11.0

v3.11.1

v3.11.2

v3.11.3

v3.12.0

v3.13.0

v3.14.0

v3.14.1

v3.14.2

v3.15.0

v3.16.0

v3.17.0

v3.17.1

v3.18.0

v3.19.0

v3.20.0

v3.21.0

v3.21.1

v3.22.0

v3.22.1

v3.22.2

v3.23.0

v3.24.0

v3.25.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-7fxw-r6jv-74c8/GHSA-7fxw-r6jv-74c8.json"