Vendor
Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability (CVE-2026-24425) when using a SourcePolicyInterface, allowing attackers to pass arbitrary PHP callables and execute arbitrary code when the sandbox is enabled through a source policy rather than globally.