[Git][security-tracker-team/security-tracker][master] new php-twig issues

Moritz Muehlenhoff (@jmm) jmm at debian.org
Thu May 21 09:16:15 BST 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d4f16921 by Moritz Muehlenhoff at 2026-05-21T10:15:49+02:00
new php-twig issues

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,3 +1,47 @@
+CVE-2026-47732
+	- php-twig <not-affected> (Introduced in 3.25)
+	NOTE: https://symfony.com/blog/cve-2026-47732-sandbox-multiple-tostring-policy-bypasses-via-unguarded-string-coercion-points
+CVE-2026-46634
+	- php-twig <unfixed>
+	[bookworm] - php-twig <not-affected> (Vulnerable code not present, introduced in 3.9.0)
+	[bullseye] - php-twig <not-affected> (Vulnerable code not present, introduced in 3.9.0)
+	NOTE: https://symfony.com/blog/cve-2026-46634-template-from-string-escapes-a-sourcepolicy-driven-sandbox-via-synthesized-template-name
+CVE-2026-46627
+	- php-twig <unfixed>
+	NOTE: https://symfony.com/blog/cve-2026-46627-sandbox-does-not-protect-against-resource-exhaustion
+CVE-2026-46635
+	- php-twig <unfixed>
+	NOTE: https://symfony.com/blog/cve-2026-46635-sandbox-property-allowlist-bypass-via-the-column-filter-array-column-on-objects
+CVE-2026-46628
+	- php-twig <unfixed>
+	NOTE: https://symfony.com/blog/cve-2026-46628-the-spaceless-filter-implicitly-marks-its-output-as-safe
+CVE-2026-46629
+	- php-twig <unfixed>
+	NOTE: https://symfony.com/blog/cve-2026-46629-unbounded-formatter-memoisation-in-twig-intl-extra-keyed-on-template-controlled-arguments
+CVE-2026-46633
+	- php-twig <unfixed>
+	NOTE: https://symfony.com/blog/cve-2026-46633-php-code-injection-via-use-template-name
+CVE-2026-47730
+	- php-twig <unfixed>
+	[bullseye] - php-twig <not-affected> (Vulnerable code not present, introduced in 3.0.0)
+	NOTE: https://symfony.com/blog/cve-2026-47730-xss-in-profiler-htmldumper-via-unescaped-template-and-profile-names
+CVE-2026-46637
+	- php-twig <unfixed>
+	NOTE: https://symfony.com/blog/cve-2026-46637-html-output-filters-in-twig-extras-incorrectly-declared-is-safe-all
+CVE-2026-46638
+	- php-twig <unfixed>
+	NOTE: https://symfony.com/blog/cve-2026-46638-sandbox-include-skips-checksecurity-on-cached-templates-incomplete-fix-for-cve-2024-45411
+CVE-2026-46639
+	- php-twig <unfixed>
+	[trixie] - php-twig <not-affected> (Vulnerable code not present, introduced in 3.24)
+	[bookworm] - php-twig <not-affected> (Vulnerable code not present, introduced in 3.24)
+	[bullseye] - php-twig <not-affected> (Vulnerable code not present, introduced in 3.24)
+	NOTE: https://symfony.com/blog/cve-2026-46639-sandbox-property-and-method-bypass-via-object-destructuring-assignment
+CVE-2026-46640
+	- php-twig <unfixed>
+	[bookworm] - php-twig <not-affected> (Vulnerable code not present, introduced in 3.15)
+	[bullseye] - php-twig <not-affected> (Vulnerable code not present, introduced in 3.15)
+	NOTE: https://symfony.com/blog/cve-2026-46640-arbitrary-php-code-execution-via-self-string-macro-reference-compilation
 CVE-2026-9152 (A missing authentication vulnerability exists in the Altium 365 Search ...)
 	NOT-FOR-US: Altium
 CVE-2026-9150 (A flaw was found in libsolv. This stack-based buffer overflow vulnerab ...)
@@ -346,7 +390,8 @@ CVE-2026-25602 (Insufficient Verification of Data Authenticity vulnerability in
 CVE-2026-24573 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
 	NOT-FOR-US: WordPress plugin or theme
 CVE-2026-24425 (Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass ...)
-	TODO: check
+	- php-twig <unfixed>
+	NOTE: https://symfony.com/blog/cve-2026-24425-possible-sandbox-bypass-when-using-a-source-policy
 CVE-2026-22554 (MediaArea MediaInfoLib Channel Splitting heap-based buffer overflow vu ...)
 	TODO: check
 CVE-2026-22315 (Incorrect Privilege Assignment vulnerability in Mesalvo Meona Client L ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -87,6 +87,8 @@ pdfminer (carnil)
 --
 php-laravel-framework/oldstable
 --
+php-twig
+--
 python-aiohttp/oldstable
 --
 rtpengine



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4f16921b3673ea964a3adc01a13db029b08ab27

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4f16921b3673ea964a3adc01a13db029b08ab27
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260521/07ea3507/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list