CVE-2026-24425HIGH 8.8EPSS p47.3%

CVE-2026-24425CVE-2026-24425

symfony / twig

Description

Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary PHP callables to sort, filter, map, and reduce filters. Attackers can exploit the runtime check that fails to use the current template source to bypass sandbox restrictions and execute arbitrary code when the sandbox is enabled through a source policy rather than globally.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.68% probability of exploitation · percentile 47.3% · 2026-06-18T12:00:27Z
Published2026-05-20
Last modified2026-06-02

Underlying weaknesses· 1

CWE-693

References

  1. https://github.com/twigphp/Twig/releases/tag/v3.26.0
  2. https://github.com/twigphp/Twig/security/advisories/GHSA-2q52-x2ff-qgfr
  3. https://www.vulncheck.com/advisories/twig-x-x-sandbox-bypass-via-sourcepolicyinterface

1

TypeTargetConfidenceTier
WeaknessProtection Mechanism Failurecwe-6930%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-66844
CVE
CVE-2025-48828
CVE
CVE-2025-54815
CVE
CVE-2025-66299
CVE
CVE-2025-26525
CVE
CVE-2026-30694
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.