CVE-2026-46635

EUVD-2026-44556
Twig is a template language for PHP. Prior to 3.26.0, the column filter passes object arrays to PHP array_column(), which reads public and magic properties without reaching CoreExtension::getAttribute() or SandboxExtension::checkPropertyAllowed(), allowing an untrusted template author with column in allowedFilters to read properties that are not in the sandbox allowlist. This issue is fixed in version 3.26.0.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
php-twig
bookworm
ignored
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
forky
3.27.1-1
fixed
sid
3.27.1-1
fixed
trixie
3.27.0-0+deb13u1
fixed
trixie (security)
3.27.0-0+deb13u1
fixed