Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:deb/debian/php-twig@2.14.3-1%2Bdeb11u3?distro=trixie
purl pkg:deb/debian/php-twig@2.14.3-1%2Bdeb11u3?distro=trixie
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-etje-vrfw-nbh4 Twig has a possible sandbox bypass ### Description Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. The security issue happens when all these conditions are met: * The sandbox is disabled globally; * The sandbox is enabled via a sandboxed `include()` function which references a template name (like `included.twig`) and not a `Template` or `TemplateWrapper` instance; * The included template has been loaded before the `include()` call but in a non-sandbox context (possible as the sandbox has been globally disabled). ### Resolution The patch ensures that the sandbox security checks are always run at runtime. ### Credits We would like to thank Fabien Potencier for reporting and fixing the issue. CVE-2024-45411
GHSA-6j75-5wfj-gh66

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-16T11:37:47.889184+00:00 Debian Importer Fixing VCID-etje-vrfw-nbh4 https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-13T07:55:32.857485+00:00 Debian Importer Fixing VCID-etje-vrfw-nbh4 https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-03T07:49:41.314681+00:00 Debian Importer Fixing VCID-etje-vrfw-nbh4 https://security-tracker.debian.org/tracker/data/json 38.1.0