-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 27 May 2026 23:21:18 +0200 Source: php-twig Architecture: source Version: 3.27.0-0+deb13u1 Distribution: trixie-security Urgency: medium Maintainer: Debian PHP PEAR Maintainers Changed-By: David Prévot Changes: php-twig (3.27.0-0+deb13u1) trixie-security; urgency=medium . [ Fabien Potencier ] * Fix sandbox bypass: propagate sandbox state to checkArrow for source-policy sandboxing [CVE-2026-24425] * Fix sandbox `__toString` bypasses [CVE-2026-47732] * Pre-escape HTML input on the `spaceless` filter [CVE-2026-46628] * Document template_from_string caveats when used in a sandboxed env [CVE-2026-46634] * Document that the sandbox doesn't protect against resource exhaustion [CVE-2026-46627] * Fix sandbox bypass in deprecated internal wrappers [CVE-2026-48805] * Fix sandbox bypass in the "column" filter under SourcePolicyInterface [CVE-2026-48808] * Fix sandbox __toString bypass via Traversable in join/replace filters * Fix sandbox `__toString` bypass via the `in` and `not in` operators [CVE-2026-48807] * Fix sandbox __toString policy bypass via dynamic mapping keys [CVE-2026-48806] * Fix sandbox filter/tag/function allow-list bypass when sandbox state changes between renders [CVE-2026-46636] * Update CHANGELOG * Prepare the 3.27.0 release . [ Alexandre Daubois ] * Fix sandbox bypass in object destructuring assignment [CVE-2026-46639] * Fix unbounded memoisation of `IntlDateFormatter` / `NumberFormatter` [CVE-2026-46629] * Fix sandbox bypass: PHP code injection via {% use %} template name [CVE-2026-46633] * Fix sandbox bypass in the `{% sandbox %}` tag when including a preloaded template [CVE-2026-46638] * Fix sandbox bypass: PHP code injection via _self / import macro reference [CVE-2026-46640] * Fix sandbox bypass in the "column" filter [CVE-2026-46635] . [ Nicolas Grekas ] * Fix XSS by adjusting `is_safe` annotation on HTML-emitting filters [CVE-2026-46637] * Pre-escape HTML input on `inline_css` and `inky_to_html` filters * [Profiler] Escape template and profile names in HtmlDumper [CVE-2026-47730] . [ David Prévot ] * Track debian/trixie branch * Refresh patches * Make phpab tolerant * Update build for related path Checksums-Sha1: 25b63c3411723dc568a49bb392e28326d4c338ca 2943 php-twig_3.27.0-0+deb13u1.dsc 65958235ae13b3d5df88b4597cb8f9275c2b86ec 295220 php-twig_3.27.0.orig.tar.xz 37f79dc056b2f7aae26357aa7bc817adb9fcdc2a 32464 php-twig_3.27.0-0+deb13u1.debian.tar.xz a92ead933b9d49468d2039e9cabe5a3f745f8df2 13673 php-twig_3.27.0-0+deb13u1_amd64.buildinfo Checksums-Sha256: 6110222dcccd1d6acdae6fa40cbbbcff43c9f8a59b70507eaceed6c0d9a461d6 2943 php-twig_3.27.0-0+deb13u1.dsc 34c8a7e6570787bb9f3502d991832c42d5066f008132c2cad09b5d793c775705 295220 php-twig_3.27.0.orig.tar.xz b4e368de75bc3214f9914a13b4d332f1797a6eb2519b0af2ce64bfdd22df2e6a 32464 php-twig_3.27.0-0+deb13u1.debian.tar.xz b753ede33b55b6cc7b860862cbf4ce907b392b69bfb422c6ee8beb2ce6734a14 13673 php-twig_3.27.0-0+deb13u1_amd64.buildinfo Files: 76c228e04c68421a4ffbbcaeaf3d033c 2943 php optional php-twig_3.27.0-0+deb13u1.dsc a0fd43ce95ac7a80c70bf85b89ce6859 295220 php optional php-twig_3.27.0.orig.tar.xz b8ef6d9926497bbf2b91a1e0b701612e 32464 php optional php-twig_3.27.0-0+deb13u1.debian.tar.xz e3bf891952e791f6c8ea43506c5d4d8b 13673 php optional php-twig_3.27.0-0+deb13u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQFGBAEBCgAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmoYscsSHHRhZmZpdEBk ZWJpYW4ub3JnAAoJEAWMHPlE9r08cm4H+gL5mOa9NWjIeHzM8YIU/UImhXbwftXU w0Y9Mi/Z8XJvvuz0yha7m6eErBkZardHc/75vBkE/jkrz1yP/A4GvJSYZ36jkukc QYgriIz98E//TZ3NOWBG49EFfP8ACKgW8MU/+vzlwZXDhquh49Fiq5MdqUG975Pp hh8xt5rpezSRqINtmh3H/yc7IX29oiSa7AMa9AfYWLOO/HJBHZ99awgnlu9YodZO RzTFVPpSXbZ7HlWxZ9b+bGrpm0o2bZpbfOmlimjS51aV+cRIOeMIT/ID7cVtbci4 ROdDsfmca7yKhutp87SUBSS3XMEZWKoN2eNTk+a0GTmmrRGexJUkV1c= =3Isc -----END PGP SIGNATURE-----