CVE 8.7 HIGH

Twig 2.16.x & 3.9.0-3.25.x Sandbox Bypass via SourcePolicyInterface_CVE-2026-24425

May 20, 2026 invoker category_cve

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary PHP callables to sort, filter, map, and reduce filters. Attackers can exploit the runtime check that fails to use the current template source to bypass sandbox restrictions and execute arbitrary code when the sandbox is enabled through a source policy rather than globally.

AI Analysis

Sandbox bypass vulnerability in Twig versions 2.16.x and 3.9.0 through 3.25.x when using a SourcePolicyInterface, allowing attackers to execute arbitrary code

Basic Information

ID CVE-2026-24425

Source VulnCheck

Published May 20, 2026 at 13:45

Affected Product

Vendor twigphp

Product Twig

Version 3.9.0

Affected Versions twigphp Twig 3.9.0
twigphp Twig 2.16.*

CWE Classification

CWE-693

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor twigphp

Product Twig

Version 2.16.x, 3.9.0-3.25.x

References

{
    "lastseen": "",
    "description": "Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary PHP callables to sort, filter, map, and reduce filters. Attackers can exploit the runtime check that fails to use the current template source to bypass sandbox restrictions and execute arbitrary code when the sandbox is enabled through a source policy rather than globally.",
    "published": "2026-05-20T13:45:02.413Z",
    "modified": "2026-05-20T13:45:43.338Z",
    "type": "cve",
    "title": "Twig 2.16.x & 3.9.0-3.25.x Sandbox Bypass via SourcePolicyInterface",
    "source": "VulnCheck",
    "references": "https://github.com/twigphp/Twig/security/advisories/GHSA-2q52-x2ff-qgfr\nhttps://github.com/twigphp/Twig/releases/tag/v3.26.0\nhttps://www.vulncheck.com/advisories/twig-x-x-sandbox-bypass-via-sourcepolicyinterface",
    "id": "CVE-2026-24425",
    "bulletinFamily": "",
    "cwe": [
        "CWE-693"
    ],
    "cvelist": null,
    "sourceData": "twigphp Twig 3.9.0\ntwigphp Twig 2.16.*",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Twig",
    "version": "3.9.0",
    "vendor": "twigphp",
    "ai_description": "Sandbox bypass vulnerability in Twig versions 2.16.x and 3.9.0 through 3.25.x when using a SourcePolicyInterface, allowing attackers to execute arbitrary code",
    "ai_severity": "High",
    "ai_vendor": "twigphp",
    "ai_product": "Twig",
    "ai_version": "2.16.x, 3.9.0-3.25.x",
    "ai_score": 8.7
}

💭 Join the Security Discussion ❌ Cancel Reply