CVE-2026-48805

Source
https://cve.org/CVERecord?id=CVE-2026-48805
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48805.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-48805
Aliases
Downstream
Published
2026-07-14T21:26:34.876Z
Modified
2026-07-18T03:47:30.361322332Z
Severity
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Twig: Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php`
Details

Twig is a template language for PHP. Prior to 3.27.0, deprecated internal wrappers in src/Resources/core.php do not forward the current sandbox state to CoreExtension::checkArrow(), arraySome(), and arrayEvery(), allowing legacy calls such as twigarraysome(), twigarrayevery(), and twigcheckarrowinsandbox() to bypass sandbox callable restrictions. This issue is fixed in version 3.27.0.

Database specific
{
    "cwe_ids": [
        "CWE-693"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48805.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/twigphp/twig

Affected ranges

Type
GIT
Repo
https://github.com/twigphp/twig
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:symfony:twig:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.27.0"
        }
    ],
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

v0.*
v0.9.0
v0.9.1
v0.9.10
v0.9.2
v0.9.4
v0.9.5
v0.9.6
v0.9.7
v0.9.8
v0.9.9
v1.*
v1.0.0
v1.0.0-RC1
v1.0.0-RC2
v1.1.0
v1.1.0-RC1
v1.1.0-RC2
v1.1.0-RC3
v1.1.1
v1.1.2
v1.10.0
v1.10.1
v1.10.2
v1.10.3
v1.11.0
v1.11.1
v1.12.0
v1.12.0-RC1
v1.12.1
v1.12.2
v1.12.3
v1.13.0
v1.13.1
v1.13.2
v1.14.0
v1.14.1
v1.14.2
v1.15.0
v1.15.1
v1.16.0
v1.16.1
v1.16.2
v1.16.3
v1.17.0
v1.18.0
v1.2.0
v1.2.0-RC1
v1.3.0
v1.3.0-RC1
v1.4.0
v1.4.0-RC1
v1.4.0-RC2
v1.5.0
v1.5.0-RC1
v1.5.0-RC2
v1.5.1
v1.6.0
v1.6.1
v1.6.2
v1.6.3
v1.6.4
v1.7.0
v1.8.0
v1.8.1
v1.8.2
v1.8.3
v1.9.0
v1.9.1
v1.9.2
v2.*
v2.0.0
v2.1.0
v2.2.0
v2.3.0
v2.3.1
v2.3.2
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.4.7
v2.4.8
v2.5.0
v2.6.0
v2.6.1
v2.6.2
v2.7.0
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.8.0
v2.8.1
v3.*
v3.0.0
v3.0.0-BETA1
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.1.0
v3.1.1
v3.10.0
v3.10.1
v3.10.2
v3.10.3
v3.11.0
v3.12.0
v3.13.0
v3.14.0
v3.15.0
v3.16.0
v3.17.0
v3.17.1
v3.18.0
v3.19.0
v3.2.1
v3.20.0
v3.21.0
v3.21.1
v3.22.0
v3.22.1
v3.22.2
v3.23.0
v3.24.0
v3.25.0
v3.26.0
v3.3.0
v3.3.1
v3.3.10
v3.3.2
v3.3.3
v3.3.4
v3.3.5
v3.3.6
v3.3.7
v3.3.8
v3.3.9
v3.4.0
v3.4.1
v3.4.2
v3.4.3
v3.5.0
v3.5.1
v3.6.0
v3.6.1
v3.7.0
v3.7.1
v3.8.0
v3.9.0
v3.9.1
v3.9.2
v3.9.3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48805.json"