{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/twig-3.9.0-through-3.25.x/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-24425"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Twig (2.16.x)","Twig (3.9.0 through 3.25.x)"],"_cs_severities":["high"],"_cs_tags":["twig","sandbox-bypass","code-execution","cve-2026-24425"],"_cs_type":"threat","_cs_vendors":["Twigphp"],"content_html":"\u003cp\u003eTwig, a flexible template engine for PHP, is susceptible to a sandbox bypass vulnerability identified as CVE-2026-24425. This flaw affects versions 2.16.x and 3.9.0 through 3.25.x. The vulnerability resides within the SourcePolicyInterface, which is intended to enforce security restrictions on template execution. However, a flaw in the runtime check allows attackers with template rendering capabilities to circumvent these restrictions. Specifically, attackers can pass arbitrary PHP callables to \u003ccode\u003esort\u003c/code\u003e, \u003ccode\u003efilter\u003c/code\u003e, \u003ccode\u003emap\u003c/code\u003e, and \u003ccode\u003ereduce\u003c/code\u003e filters, leading to arbitrary code execution if the sandbox is enabled via a source policy. This bypass occurs because the runtime check fails to use the current template source, allowing malicious code to be injected and executed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains the ability to render Twig templates, often through a web application vulnerability such as template injection.\u003c/li\u003e\n\u003cli\u003eThe application uses a SourcePolicyInterface to enable a security sandbox for Twig templates.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious Twig template that leverages the \u003ccode\u003esort\u003c/code\u003e, \u003ccode\u003efilter\u003c/code\u003e, \u003ccode\u003emap\u003c/code\u003e, or \u003ccode\u003ereduce\u003c/code\u003e filters.\u003c/li\u003e\n\u003cli\u003eWithin these filters, the attacker provides an arbitrary PHP callable function.\u003c/li\u003e\n\u003cli\u003eThe vulnerable runtime check fails to properly validate the source of the template.\u003c/li\u003e\n\u003cli\u003eThe arbitrary PHP callable is executed without proper sandbox restrictions.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers with template rendering capabilities to bypass the intended security sandbox and execute arbitrary code on the server. This can lead to complete system compromise, data theft, or denial of service. While the specific number of affected installations is unknown, any application using Twig within the specified version range and relying on SourcePolicyInterface for sandboxing is potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Twig to version 3.26.0 or later, which contains a fix for CVE-2026-24425.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, avoid using SourcePolicyInterface for sandboxing and rely on global sandbox settings instead.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to template rendering, particularly the use of \u003ccode\u003esort\u003c/code\u003e, \u003ccode\u003efilter\u003c/code\u003e, \u003ccode\u003emap\u003c/code\u003e, and \u003ccode\u003ereduce\u003c/code\u003e filters.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Twig Sandbox Bypass Attempt via PHP Callable\u0026rdquo; to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-20T14:17:58Z","date_published":"2026-05-20T14:17:58Z","id":"https://feed.craftedsignal.io/briefs/2026-05-twig-sandbox-bypass/","summary":"Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability (CVE-2026-24425) when using a SourcePolicyInterface, allowing attackers to pass arbitrary PHP callables and execute arbitrary code when the sandbox is enabled through a source policy rather than globally.","title":"CVE-2026-24425: Twig Sandbox Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-twig-sandbox-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Twig (3.9.0 Through 3.25.x)","version":"https://jsonfeed.org/version/1.1"}