Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

GHSA-8x9c-rmqh-456c: Twig: Sandbox `__toString()` policy bypass via `Traversable` in `join` and `replace` filters

0
Medium
Published: 06/30/2026 (06/30/2026, 18:43:23 UTC)
Source: GCVE Database
Product: twig/twig

Description

A vulnerability in twig/twig before version 3.27.0 allows sandboxed template authors to bypass sandbox policy restrictions on the __toString() method via the join and replace filters with Traversable inputs, and the in and not in operators. This bypass occurs because the sandbox policy did not recursively check Stringable objects inside Traversable containers or operands coerced to string during comparisons. The issue enables disallowed __toString() calls on objects reachable from the render context despite sandbox restrictions. The vulnerability is rated medium severity.

Affected software

Packagistghsa
twig/twig
Affected versions
<3.27.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 06/30/2026, 23:47:07 UTC

Technical Analysis

This vulnerability is a residual bypass of a previous fix for unguarded __toString() calls in twig/twig. The SandboxExtension::ensureToStringAllowed() method originally recursed into PHP arrays to check Stringable objects against the sandbox policy but did not materialize or check contents of Traversable inputs passed to join and replace filters. These filters later coerce contained Stringable objects to strings without policy checks. Similarly, the in and not in operators use PHP's spaceship operator which coerces Stringable objects to strings without sandbox checks, allowing bypass and potential content leak. The fix added recursive checking of Traversable operands and declared operands of in/not in as string-coerced to enforce policy checks before string coercion.

Potential Impact

Sandboxed template authors with permission to use join, replace, in, or not in can trigger disallowed __toString() method calls on objects in the render context, bypassing sandbox policy restrictions. This can lead to unauthorized execution of __toString() methods that were intended to be blocked, potentially exposing sensitive data or causing unintended side effects. The vulnerability affects sandboxed environments and can also be used as a content-leak oracle via the in operator.

Mitigation Recommendations

A fix is available in twig/twig version 3.27.0 that addresses this bypass by recursively checking Traversable inputs and properly enforcing sandbox policy on string coercion in the affected filters and operators. Users should upgrade to version 3.27.0 or later to remediate this vulnerability. No other mitigation is required as the fix fully addresses the issue.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
GHSA-8x9c-rmqh-456c
Osv Schema Version
1.4.0
Aliases
["CVE-2026-48807"]
Ecosystems
["Packagist"]
Database Specific Severity
MODERATE
Cvss Version
null

Threat ID: 6a4452e027e9c797198e1086

Added to database: 06/30/2026, 23:36:00 UTC

Last enriched: 06/30/2026, 23:47:07 UTC

Last updated: 07/01/2026, 03:26:11 UTC

Views: 4

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses