Zurück zur CVE-Übersicht
CVE-2026-46639
NONERisk Signal Score10/100 — NIEDRIG
- Weniger als 24 Stunden alt
Beschreibung
Twig is a template language for PHP. From 3.24.0 until 3.26.0, object-destructuring assignment compiles CoreExtension::getAttribute() with the sandbox argument hardcoded to false, disabling property and method policy checks and allowing an attacker with write access to a sandboxed Twig template to read public properties or invoke public getters on objects passed to the template engine. This issue is fixed in version 3.26.0.
GitHub Advisories
GHSA-mm6w-gr99-p3jjHIGH
Twig: Sandbox property and method bypass via object-destructuring assignment
composer/twig/twig→ 3.26.0
GitHub Advisory