GHSA-p42q-9prx-q5wq: Twig: Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php`
### Description The 3.26.0 source-policy hardening changed the signature of `CoreExtension::checkArrow()` to take a boolean `$isSandboxed` instead of an `Environment`, and added the same `$isSandboxed` argument to `CoreExtension::arraySome()` and `CoreExtension::arrayEvery()`. Compiled templates were updated to pass the per-source sandbox state computed at the call site. The deprecated internal wrappers exposed in `src/Resources/core.php` for legacy third-party code (`twig_check_arrow_in_sandbox()`, `twig_array_some()`, `twig_array_every()`) were not updated: - `twig_array_some()` and `twig_array_every()` call `CoreExtension::arraySome()` / `arrayEvery()` without forwarding the sandbox state. The underlying methods default `$isSandboxed` to `false`, so the callable-must-be-a-`Closure` restriction is silently bypassed in sandbox mode and a string callable such as `'strcmp'` is accepted. - `twig_check_arrow_in_sandbox()` passes the `Environment` object where `CoreExtension::checkArrow()` now expects a `bool`, which throws a `TypeError` on PHP 8+. Compiled Twig templates are not affected: they call `CoreExtension::*` directly with the correct arguments. Applications are only impacted if they still call the deprecated `twig_*` helpers on top of a sandboxed `Environment`. ### Resolution The three wrappers now resolve the current sandbox state via `twig_resolve_is_sandboxed()` (the same helper compiled templates use), and forward it to the corresponding `CoreExtension::*` method. `twig_check_arrow_in_sandbox()` no longer triggers a `TypeError`, and `twig_array_some()` / `twig_array_every()` now enforce the same sandbox restriction as compiled templates. ### Credits We would like to thank El Kharoubi Iosif for reporting the issue and Fabien Potencier for providing the fix.
GHSA-p42q-9prx-q5wq: Twig: Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php`
Description
### Description The 3.26.0 source-policy hardening changed the signature of `CoreExtension::checkArrow()` to take a boolean `$isSandboxed` instead of an `Environment`, and added the same `$isSandboxed` argument to `CoreExtension::arraySome()` and `CoreExtension::arrayEvery()`. Compiled templates were updated to pass the per-source sandbox state computed at the call site. The deprecated internal wrappers exposed in `src/Resources/core.php` for legacy third-party code (`twig_check_arrow_in_sandbox()`, `twig_array_some()`, `twig_array_every()`) were not updated: - `twig_array_some()` and `twig_array_every()` call `CoreExtension::arraySome()` / `arrayEvery()` without forwarding the sandbox state. The underlying methods default `$isSandboxed` to `false`, so the callable-must-be-a-`Closure` restriction is silently bypassed in sandbox mode and a string callable such as `'strcmp'` is accepted. - `twig_check_arrow_in_sandbox()` passes the `Environment` object where `CoreExtension::checkArrow()` now expects a `bool`, which throws a `TypeError` on PHP 8+. Compiled Twig templates are not affected: they call `CoreExtension::*` directly with the correct arguments. Applications are only impacted if they still call the deprecated `twig_*` helpers on top of a sandboxed `Environment`. ### Resolution The three wrappers now resolve the current sandbox state via `twig_resolve_is_sandboxed()` (the same helper compiled templates use), and forward it to the corresponding `CoreExtension::*` method. `twig_check_arrow_in_sandbox()` no longer triggers a `TypeError`, and `twig_array_some()` / `twig_array_every()` now enforce the same sandbox restriction as compiled templates. ### Credits We would like to thank El Kharoubi Iosif for reporting the issue and Fabien Potencier for providing the fix.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-p42q-9prx-q5wq
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-48805"]
- Ecosystems
- ["Packagist"]
- Database Specific Severity
- LOW
- Cvss Version
- null
Threat ID: 6a4452e027e9c797198e1094
Added to database: 06/30/2026, 23:36:00 UTC
Last updated: 06/30/2026, 23:36:00 UTC
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.