CVE-2026-24425
Twig Sandbox Bypass via SourcePolicyInterface
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| twig | twig | From 2.16.0 (inc) |
| twig | twig | From 3.9.0 (inc) to 3.26.0 (exc) |
| twig | twig | 3.25 |
| twig | twig | 3.26 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-693 | The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24425 is a sandbox bypass vulnerability in Twig versions 2.16.x and 3.9.0 through 3.25.x. It occurs when using a SourcePolicyInterface for sandboxing, allowing attackers who have template rendering capabilities to pass arbitrary PHP callables to filters such as sort, filter, map, and reduce. This happens because the runtime check fails to use the current template source when sandboxing is enabled via a source policy rather than globally. As a result, attackers can bypass sandbox restrictions and potentially execute arbitrary code.
How can this vulnerability impact me? :
This vulnerability can have a high impact on the confidentiality, integrity, and availability of your system. An attacker with the ability to render templates can exploit this flaw to bypass sandbox restrictions and execute arbitrary PHP code. This could lead to unauthorized code execution, data breaches, or disruption of service within applications using affected Twig versions.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Twig to version 3.26.0 or later, where the issue has been fixed.
The fix ensures that the sandbox mechanism correctly enforces source-policy sandboxing by properly passing the Source object during validation checks, preventing attackers from bypassing sandbox restrictions.
If upgrading immediately is not possible, consider restricting template rendering capabilities to trusted users only, as the vulnerability requires template rendering privileges to be exploited.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-24425 allows attackers to bypass sandbox restrictions and execute arbitrary code in Twig template environments. This can lead to unauthorized access, modification, or disruption of sensitive data and systems.
Such unauthorized code execution and potential data breaches could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and availability.
Failure to prevent such vulnerabilities may result in violations of these regulations due to exposure or compromise of protected data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2026-24425 involves identifying if your system is running affected versions of the Twig template engine, specifically versions 2.16.x and 3.9.0 through 3.25.x.
You can check the installed Twig version by running commands in your environment where Twig is used.
- For PHP projects using Composer, run: composer show twig/twig
- Alternatively, check the Twig version in your codebase or vendor directory by inspecting the version file or changelog.
Since this vulnerability requires template rendering capabilities and sandbox usage with SourcePolicyInterface, monitoring logs for suspicious template rendering or unexpected PHP callable usage in filters like sort, filter, map, and reduce may help detect exploitation attempts.