CVE-2026-24425
Publication date 20 May 2026
Last updated 8 June 2026
Ubuntu priority
Description
Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary PHP callables to sort, filter, map, and reduce filters. Attackers can exploit the runtime check that fails to use the current template source to bypass sandbox restrictions and execute arbitrary code when the sandbox is enabled through a source policy rather than globally.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| php-twig | 26.04 LTS resolute |
Fixed 3.23.0-2ubuntu0.1~esm1
|
| 25.10 questing |
Vulnerable
|
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialSeverity score breakdown
| Parameter | Value |
|---|---|
| Base score |
8.8 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-8408-1
- Twig vulnerability
- 8 June 2026
Other references
- https://www.cve.org/CVERecord?id=CVE-2026-24425
- https://symfony.com/blog/cve-2026-24425-possible-sandbox-bypass-when-using-a-source-policy
- https://github.com/twigphp/Twig/releases/tag/v3.26.0
- https://github.com/twigphp/Twig/security/advisories/GHSA-2q52-x2ff-qgfr
- https://www.vulncheck.com/advisories/twig-x-x-sandbox-bypass-via-sourcepolicyinterface