Threat Intelligence Database
Comprehensive database of the latest cyber threats affecting organizations worldwide. Filter and search to find specific threat intelligence relevant to your organization.
Stop chasing alerts. Route them.
Start free, then upgrade once to turn Radar into an automated delivery engine for your security stack.
Custom feeds / Automations: email, Slack, webhooks, SIEM/MISP / API access (baseline limits)
API access activates after upgrading in Console -> Billing.
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.
Filter Threats
Narrow down the results by type, severity, or affected countries
Threat Intelligence
Click on any threat for detailed analysis and mitigation recommendations
CVE-2026-49981: CWE-693: Protection Mechanism Failure in twigphp TwigCVE-2026-49981 0 Twig, a PHP template language, has a protection mechanism failure vulnerability prior to version 3.27.0. The issue involves the caching of per-template allow-list verdicts for filters, tags, and functions, which can persist after sandbox state changes between renders. This allows a sandboxed render to reuse a template that was originally checked with a different or empty policy. The vulnerability is fixed in version 3.27.0. Join the discussion | CVE Database V5 | 07/14/2026, 21:26:00 UTC Added: 07/14/2026, 21:48:21 UTC |
CVE-2026-47732: CWE-863: Incorrect Authorization in twigphp TwigCVE-2026-47732 0 Twig, a PHP template language, has an authorization vulnerability prior to version 3.26.0. Several Twig language constructs allow sandboxed template authors to invoke the __toString() method on objects without proper authorization checks. This occurs due to PHP string coercion on Stringable operands bypassing SecurityPolicy::checkMethodAllowed(). The issue is fixed in Twig version 3.26.0. Join the discussion | CVE Database V5 | 07/14/2026, 21:12:13 UTC Added: 07/14/2026, 21:48:18 UTC |
CVE-2026-47730: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in twigphp TwigCVE-2026-47730 0 Twig versions from 3.0.0 up to but not including 3.26.0 contain a cross-site scripting (XSS) vulnerability in the HtmlDumper component of the profiler. This occurs because Profile::getTemplate() and Profile::getName() are written into HTML output without proper escaping, allowing attacker-controlled template or profile names to inject arbitrary HTML when rendered in a browser. The issue is fixed starting in version 3.26.0. Join the discussion | CVE Database V5 | 07/14/2026, 21:21:10 UTC Added: 07/14/2026, 21:48:18 UTC |
CVE-2026-46639: CWE-693: Protection Mechanism Failure in twigphp TwigCVE-2026-46639 0 Twig versions from 3.24.0 up to but not including 3.26.0 contain a vulnerability where object-destructuring assignment compiles CoreExtension::getAttribute() with the sandbox argument hardcoded to false. This disables property and method policy checks, allowing an attacker with write access to a sandboxed Twig template to read public properties or invoke public getters on objects passed to the template engine. The issue is fixed in version 3.26.0. Join the discussion | CVE Database V5 | 07/14/2026, 21:13:42 UTC Added: 07/14/2026, 21:48:18 UTC |
CVE-2026-46638: CWE-693: Protection Mechanism Failure in twigphp TwigCVE-2026-46638 0 Twig, a PHP template language, has a protection mechanism failure vulnerability prior to version 3.26.0. The issue involves the {% sandbox %}{% include %} tags allowing inclusion of templates loaded outside the sandbox without rechecking security policies. This can result in unauthorized use of tags, filters, and functions that should be denied by SecurityPolicy::checkSecurity(). The vulnerability is fixed in version 3.26.0. Join the discussion | CVE Database V5 | 07/14/2026, 21:23:50 UTC Added: 07/14/2026, 21:48:18 UTC |
CVE-2026-46637: CWE-116: Improper Encoding or Escaping of Output in twigphp TwigCVE-2026-46637 0 Twig versions prior to 3.26.0 have a vulnerability where several filters in twig/markdown-extra and twig/cssinliner-extra are incorrectly registered as safe for all contexts, causing improper encoding or escaping of output. This can lead to unsafe output in HTML, JavaScript, CSS, URL, and other contexts. The issue is fixed in version 3.26.0. Join the discussion | CVE Database V5 | 07/14/2026, 21:25:20 UTC Added: 07/14/2026, 21:48:18 UTC |
CVE-2026-46635: CWE-863: Incorrect Authorization in twigphp TwigCVE-2026-46635 0 Twig, a PHP template language, has an authorization vulnerability prior to version 3.26.0. The issue arises because the column filter passes object arrays directly to PHP's array_column() function, which accesses public and magic properties without invoking Twig's CoreExtension::getAttribute() or SandboxExtension::checkPropertyAllowed(). This allows an untrusted template author with column in allowedFilters to read properties not permitted by the sandbox allowlist. The vulnerability is fixed in Twig version 3.26.0. Join the discussion | CVE Database V5 | 07/14/2026, 21:12:56 UTC Added: 07/14/2026, 21:48:16 UTC |
CVE-2026-46634: CWE-693: Protection Mechanism Failure in twigphp TwigCVE-2026-46634 0 Twig versions from 3.9.0 up to but not including 3.26.0 have a protection mechanism failure in the template_from_string() function. This function compiles inner templates under synthesized names that can bypass sandbox security policies, allowing sandboxed templates to render inner templates without enforcement of security restrictions. The issue is fixed in version 3.26.0. Join the discussion | CVE Database V5 | 07/14/2026, 21:19:17 UTC Added: 07/14/2026, 21:48:16 UTC |
CVE-2026-46633: CWE-94: Improper Control of Generation of Code ('Code Injection') in twigphp TwigCVE-2026-46633 0 Twig, a PHP template language, has a code injection vulnerability (CWE-94) in versions prior to 3.26.0. The issue arises because Compiler::string() does not escape single quotes when processing template names from {% use %} tags inside PHP single-quoted string literals. This allows crafted template names to break out of the string context and inject arbitrary PHP code into the compiled cache file. The vulnerability is fixed in Twig version 3.26.0. Join the discussion | CVE Database V5 | 07/14/2026, 21:14:24 UTC Added: 07/14/2026, 21:48:16 UTC |
CVE-2026-46629: CWE-770: Allocation of Resources Without Limits or Throttling in twigphp TwigCVE-2026-46629 0 Twig prior to version 3.26.0 contains a vulnerability where IntlDateFormatter and NumberFormatter instances are memoized without limits based on template-controlled arguments. This can lead to excessive resource allocation that persists for the lifetime of the Twig environment. The issue is fixed in version 3.26.0. Join the discussion | CVE Database V5 | 07/14/2026, 21:22:15 UTC Added: 07/14/2026, 21:48:16 UTC |
Showing 1 to 10 of 12 results