CVE-2026-48807

Twig is a template language for PHP. Prior to 3.27.0, the sandbox __toString() checks do not fully cover Traversable values passed to join and replace filters or operands evaluated by the in and not in operators, allowing contained Stringable objects to be coerced to strings without consulting the sandbox policy. This issue is fixed in version 3.27.0.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
php-twig
bookworm
3.5.1-1+deb12u3
fixed
bookworm (security)
3.5.1-1+deb12u3
fixed
bullseye
2.14.3-1+deb11u2
fixed
bullseye (security)
2.14.3-1+deb11u4
fixed
forky
3.27.1-1
fixed
sid
3.27.1-1
fixed
trixie
3.27.0-0+deb13u1
fixed
trixie (security)
3.27.0-0+deb13u1
fixed