Executive Summary

CVE-2026-24425 is a sandbox bypass vulnerability in Twig versions 2.16.x and 3.9.0 through 3.25.x. It occurs when using a SourcePolicyInterface for sandboxing, allowing attackers who have template rendering capabilities to pass arbitrary PHP callables to filters such as sort, filter, map, and reduce. This happens because the runtime check fails to use the current template source when sandboxing is enabled via a source policy rather than globally. As a result, attackers can bypass sandbox restrictions and potentially execute arbitrary code.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have a high impact on the confidentiality, integrity, and availability of your system. An attacker with the ability to render templates can exploit this flaw to bypass sandbox restrictions and execute arbitrary PHP code. This could lead to unauthorized code execution, data breaches, or disruption of service within applications using affected Twig versions.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Twig to version 3.26.0 or later, where the issue has been fixed.

The fix ensures that the sandbox mechanism correctly enforces source-policy sandboxing by properly passing the Source object during validation checks, preventing attackers from bypassing sandbox restrictions.

If upgrading immediately is not possible, consider restricting template rendering capabilities to trusted users only, as the vulnerability requires template rendering privileges to be exploited.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-24425 allows attackers to bypass sandbox restrictions and execute arbitrary code in Twig template environments. This can lead to unauthorized access, modification, or disruption of sensitive data and systems.

Such unauthorized code execution and potential data breaches could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and availability.

Failure to prevent such vulnerabilities may result in violations of these regulations due to exposure or compromise of protected data.

Useful 0 Not Useful 0

Detection Guidance

Detection of CVE-2026-24425 involves identifying if your system is running affected versions of the Twig template engine, specifically versions 2.16.x and 3.9.0 through 3.25.x.

You can check the installed Twig version by running commands in your environment where Twig is used.

• For PHP projects using Composer, run: composer show twig/twig
• Alternatively, check the Twig version in your codebase or vendor directory by inspecting the version file or changelog.

Since this vulnerability requires template rendering capabilities and sandbox usage with SourcePolicyInterface, monitoring logs for suspicious template rendering or unexpected PHP callable usage in filters like sort, filter, map, and reduce may help detect exploitation attempts.

Useful 0 Not Useful 0