Twig (PHP Template Engine), Sandbox Bypass via Deprecated Internal Wrappers, CVE-2026-48805 (Medium) -DC-Jun2026-760

Listen to this Post

How CVE-2026-48805 Works

The Twig templating engine for PHP introduced a source-policy hardening feature in version 3.26.0. As part of this change, the signature of the `CoreExtension::checkArrow()` method was modified to accept a boolean `$isSandboxed` parameter instead of an `Environment` object. The `$isSandboxed` argument was also added to `CoreExtension::arraySome()` and CoreExtension::arrayEvery(). Compiled templates were updated to pass the correct per-source sandbox state at the call site.
However, the deprecated internal wrappers—twig_check_arrow_in_sandbox(), twig_array_some(), and twig_array_every()—exposed in `src/Resources/core.php` for legacy third-party code, were not updated to reflect these changes.

This oversight leads to two distinct security issues:

  1. Silent Sandbox Bypass: The `twig_array_some()` and `twig_array_every()` wrappers call `CoreExtension::arraySome()` and `CoreExtension::arrayEvery()` without forwarding the sandbox state. The underlying methods default `$isSandboxed` to false. Consequently, the callable-must-be-a-Closure restriction is silently bypassed in sandbox mode, allowing a string callable such as `’strcmp’` to be accepted. This could allow an attacker to execute arbitrary PHP functions.
  2. TypeError on PHP 8+: The `twig_check_arrow_in_sandbox()` wrapper passes an `Environment` object where `CoreExtension::checkArrow()` now expects a boolean. This results in a `TypeError` on PHP 8 and above.
    Compiled Twig templates are not affected as they call `CoreExtension::` methods directly with the correct arguments. The vulnerability only impacts applications that still call the deprecated `twig_` helpers on top of a sandboxed Environment.
    The fix, implemented in Twig 3.27.0, resolves the issue by making the three wrappers resolve the current sandbox state via `twig_resolve_is_sandboxed()` and forward it to the corresponding `CoreExtension::` method.

DailyCVE Form:

Platform: Twig (PHP)
Version: <=3.26.0
Vulnerability: Sandbox Bypass
Severity: Medium
date: 2026-05-27

Prediction: 2026-06-10 (Twig 3.27.0)

What Undercode Say:

  • Vulnerability Type: Sandbox Bypass via State Regression
  • Root Cause: Deprecated wrappers not updated
  • Attack Vector: String callables in sandbox
  • PHP Version Impact: TypeError on PHP 8+
  • Fix Method: Forward sandbox state
  • Patch Status: Fixed in v3.27.0

Exploit:

Check if Twig version is vulnerable
composer show twig/twig | grep versions
Example vulnerable code (sandboxed environment)
$twig = new \Twig\Environment($loader, ['sandboxed' => true]);
$template = $twig->createTemplate('{{ array_some([1,2], "strcmp") }}');
echo $template->render(); Bypasses sandbox
// Vulnerable wrapper call (bypasses sandbox)
twig_array_some($array, 'strcmp'); // $isSandboxed defaults to false
// Patched wrapper call (enforces sandbox)
twig_array_some($array, 'strcmp'); // Now forwards sandbox state

Protection:

  • Upgrade: Update to Twig 3.27.0 or later
  • Avoid Deprecated Helpers: Do not use `twig_` wrappers
  • Code Review: Check for twig_array_some(), twig_array_every(), `twig_check_arrow_in_sandbox()` usage
  • Sandbox Policy: Ensure `SourcePolicyInterface` is properly configured
  • Input Validation: Sanitize user-supplied callables in templates

Impact:

  • Confidentiality: Potential exposure of sensitive data via arbitrary function calls
  • Integrity: Possible modification of application state through injected callables
  • Availability: Risk of denial of service via resource-exhausting functions
  • Attack Complexity: Low – requires ability to render Twig templates
  • Privileges Required: None – works within sandboxed environment
  • User Interaction: None – automated exploitation possible

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top