[Git][security-tracker-team/security-tracker][master] Track fixed version for php-twig issues

Salvatore Bonaccorso (@carnil) carnil at debian.org
Thu May 28 05:29:05 BST 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
00ada3cf by Salvatore Bonaccorso at 2026-05-28T06:28:21+02:00
Track fixed version for php-twig issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -648,28 +648,28 @@ CVE-2026-48489
 	NOTE: https://symfony.com/blog/cve-2026-48489-security-firewall-bypass-via-failure-forward-subrequest
 	NOTE: https://github.com/symfony/symfony/commit/c48a4276309e11aedeeb0ce3a89dfbf0b4fe04ff (v5.4.53)
 CVE-2026-46636
-	- php-twig <unfixed>
+	- php-twig 3.27.0-1
 	NOTE: https://symfony.com/blog/cve-2026-46636-sandbox-filter-tag-and-function-allow-list-bypass-when-sandbox-state-changes-between-renders
 CVE-2026-48806
-	- php-twig <unfixed>
+	- php-twig 3.27.0-1
 	[trixie] - php-twig <not-affected> (Fix for CVE-2026-47732 not yet shipped)
 	[bookworm] - php-twig <not-affected> (Fix for CVE-2026-47732 not yet shipped)
 	[bullseye] - php-twig <not-affected> (Fix for CVE-2026-47732 not yet shipped)
 	NOTE: https://symfony.com/blog/cve-2026-48806-sandbox-tostring-policy-bypass-via-dynamic-mapping-keys
 CVE-2026-48807
-	- php-twig <unfixed>
+	- php-twig 3.27.0-1
 	[trixie] - php-twig <not-affected> (Fix for CVE-2026-47732 not yet shipped)
 	[bookworm] - php-twig <not-affected> (Fix for CVE-2026-47732 not yet shipped)
 	[bullseye] - php-twig <not-affected> (Fix for CVE-2026-47732 not yet shipped)
 	NOTE: https://symfony.com/blog/cve-2026-48807-sandbox-tostring-policy-bypass-via-traversable-in-join-replace-and-in-not-in-operators
 CVE-2026-48808
-	- php-twig <unfixed>
+	- php-twig 3.27.0-1
 	[trixie] - php-twig <not-affected> (Fix for CVE-2026-46635 not yet shipped)
 	[bookworm] - php-twig <not-affected> (Fix for CVE-2026-46635 not yet shipped)
 	[bullseye] - php-twig <not-affected> (Fix for CVE-2026-46635 not yet shipped)
 	NOTE: https://symfony.com/blog/cve-2026-48808-sandbox-property-allowlist-bypass-via-the-column-filter-under-sourcepolicyinterface
 CVE-2026-48805
-	- php-twig <unfixed>
+	- php-twig 3.27.0-1
 	NOTE: https://symfony.com/blog/cve-2026-48805-sandbox-state-regression-in-deprecated-internal-wrappers-in-src-resources-core-php
 CVE-2026-47770
 	- jq 1.8.1-7



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/00ada3cf4806c2090cb07061612b6c2cc5ad9682

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/00ada3cf4806c2090cb07061612b6c2cc5ad9682
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260528/6d00bca9/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list