cbcvebase.
CVE-2026-24425
published 2026-05-20

CVE-2026-24425: Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template…

PriorityP262critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.74%
49.9th percentile
Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary PHP callables to sort, filter, map, and reduce filters. Attackers can exploit the runtime check that fails to use the current template source to bypass sandbox restrictions and execute arbitrary code when the sandbox is enabled through a source policy rather than globally.

Affected

7 ranges
VendorProductVersion rangeFixed in
symfonytwig2.16.0 – 2.16.1
symfonytwig>= 3.9.0 < 3.26.03.26.0
twigtwig2.16.0 – 2.16.1
twigtwig>= 3.9.0 < 3.26.03.26.0
twigphptwig
twigphptwig>= 3.9.0 < 3.26.03.26.0
ubuntuphp-twig

Detection & IOCsextracted from sources · hover to see the quote

  • Exploitation targets the `sort`, `filter`, `map`, and `reduce` Twig filters — monitor template rendering requests that pass arbitrary PHP callables to these filters when a SourcePolicyInterface-based sandbox is in use.
  • Vulnerability is only exploitable when the sandbox is enabled via a source policy (SourcePolicyInterface) rather than globally — detection should focus on environments using per-source sandbox policies, not globally-enabled sandboxes.
  • The bypass mechanism abuses a runtime check that fails to use the current template source — look for anomalous callable values in Twig filter arguments that would normally be blocked by sandbox policy.
  • Exploitation requires an authenticated user with template rendering capabilities — correlate suspicious Twig filter usage with authenticated sessions in application logs.
  • ·Affected versions are Twig 2.16.x and 3.9.0 through 3.25.x — verify deployed Twig version to scope detection and patching efforts.
  • ·The vulnerability only manifests when a SourcePolicyInterface is used to enable the sandbox; globally-enabled sandboxes are NOT affected — audit Twig configuration to determine exposure.

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.