Primary

Context

Twig Sandbox Bypass Vulnerability via SourcePolicyInterface

Vulnerability

Patched

A sandbox bypass vulnerability has been identified in Twig versions 2.16.x and 3.9.0 prior to 3.26.0. This vulnerability arises when using a SourcePolicyInterface, allowing attackers with template rendering capabilities to exploit callback-accepting filters such as sort, filter, map, and reduce. The issue stems from a runtime check that fails to reference the current template source, enabling the bypass of sandbox restrictions and the execution of arbitrary code under certain conditions.

Impact

Exploitation of this vulnerability allows for a sandbox bypass, enabling the execution of arbitrary code in environments where the sandbox is enforced through a source policy.

Remediation

Users can upgrade to Twig version 3.26.0 to address this vulnerability.

Added: May 20, 2026, 2:24 PM

Updated: May 20, 2026, 2:24 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.0

remediation

0.0

relevance

8.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.0

remediation

0.0

relevance

8.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Twig Sandbox Bypass Vulnerability via SourcePolicyInterface

Vulnerability

Impact

Remediation

Affected Products

Twig

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating