-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 26 May 2026 13:43:06 +0200 Source: php-twig Architecture: source Version: 3.26.0-0+deb13u1 Distribution: trixie-security Urgency: medium Maintainer: Debian PHP PEAR Maintainers Changed-By: David Prévot Changes: php-twig (3.26.0-0+deb13u1) trixie-security; urgency=medium . [ Fabien Potencier ] * Fix sandbox bypass: propagate sandbox state to checkArrow for source-policy sandboxing [CVE-2026-24425] * Fix sandbox `__toString` bypasses [CVE-2026-47732] * Pre-escape HTML input on the `spaceless` filter [CVE-2026-46628] * Document template_from_string caveats when used in a sandboxed env [CVE-2026-46634] * Document that the sandbox doesn't protect against resource exhaustion [CVE-2026-46627] * Update CHANGELOG * Prepare the 3.26.0 release . [ Alexandre Daubois ] * Fix sandbox bypass in object destructuring assignment [CVE-2026-46639] * Fix unbounded memoisation of `IntlDateFormatter` / `NumberFormatter` [CVE-2026-46629] * Fix sandbox bypass: PHP code injection via {% use %} template name [CVE-2026-46633] * Fix sandbox bypass in the `{% sandbox %}` tag when including a preloaded template [CVE-2026-46638] * Fix sandbox bypass: PHP code injection via _self / import macro reference [CVE-2026-46640] * Fix sandbox bypass in the "column" filter [CVE-2026-46635] . [ Nicolas Grekas ] * Fix XSS by adjusting `is_safe` annotation on HTML-emitting filters [CVE-2026-46637] * Pre-escape HTML input on `inline_css` and `inky_to_html` filters * [Profiler] Escape template and profile names in HtmlDumper [CVE-2026-47730] . [ David Prévot ] * Track debian/trixie branch * Refresh patches * Make phpab tolerant * Update build for related path Checksums-Sha1: d52b98609c77ecf69345026e0909c36322755c46 2943 php-twig_3.26.0-0+deb13u1.dsc 6cd8f89400cde9ed7cc3f81117268ae34fada278 288376 php-twig_3.26.0.orig.tar.xz 894ab5abd008c96ce1c6fd12a66779fefd11c7cc 32084 php-twig_3.26.0-0+deb13u1.debian.tar.xz dacb83629892cdb0b97588f440e852b9b1491c9e 13673 php-twig_3.26.0-0+deb13u1_amd64.buildinfo Checksums-Sha256: 47d313ffea0b06a07cca4a8295d4be5b2b95f19a884a08a228c542a3abe5325f 2943 php-twig_3.26.0-0+deb13u1.dsc 27ebc728697a9dced0566d9a48241925f162c363ae53b0403834501eeab89022 288376 php-twig_3.26.0.orig.tar.xz 360b00cc90235d14300fee9ff4f5ce430c5562bcaa0105f6a19354e2175b0135 32084 php-twig_3.26.0-0+deb13u1.debian.tar.xz 5ff91c29033cd74c655a62f956046b4546383c3d5b5ae441bd01669464406e95 13673 php-twig_3.26.0-0+deb13u1_amd64.buildinfo Files: d2140137cd5eb6e1a2214b406db55e04 2943 php optional php-twig_3.26.0-0+deb13u1.dsc 7abc94787ed54cc96c3f91ece4b7a473 288376 php optional php-twig_3.26.0.orig.tar.xz cf30df8d941e0b78a2c5230fd74955e1 32084 php optional php-twig_3.26.0-0+deb13u1.debian.tar.xz 71122998fac9086dc840be3fc675410d 13673 php optional php-twig_3.26.0-0+deb13u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQFGBAEBCgAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmoWw2ISHHRhZmZpdEBk ZWJpYW4ub3JnAAoJEAWMHPlE9r08wDkH/A/R+57zn9HpYd2L3aNuHURlPEZMC4bg Nv8NH3bzbcsROCvdHDwFwEovv+HKcY8LBxKLQ+nt3ocnjkAFYEa5Zu+ZFHljMPWg YtI9iHbcCwC3IdQDFhfpnZQP8B9HjcTyAi/zsHbJIO3l+MASiXvjQoijJwDheX33 r4+YTSm/BuCD6DftSTikcRlfBSPrBORmYyJDsPmvixaVj+0cfgxZ3080BoRd/8ln 8y6yvdRGSIgZgTpdOiDq6COquO8daCQzaWYoV2VKMhlQuMsp8Pe4DIniR+CoHfYk L6bs1N2r12ivma9NlSoogiyZnsuYao3FlWRquCwuQ3TAqlMTZvkA3WU= =L/+J -----END PGP SIGNATURE-----