CVE-2026-47732: 
PHP Analyse et atténuation des vulnérabilités

CVE-2026-47732 is a sandbox security feature bypass vulnerability in the Twig PHP templating engine, titled "Sandbox: multiple __toString() policy bypasses via unguarded string coercion points." It affects all versions of twig/twig up to and including 3.25.0 (across the 1.x, 2.x, and 3.x branches), and was first published on May 20, 2026, with the GitHub Advisory Database entry updated on June 5, 2026. The vulnerability is rated High severity (GitHub Advisory, Twig Security Advisory). The patched version is 3.26.0, released on May 20, 2026 (Twig v3.26.0).

The root cause (CWE-20: Improper Input Validation) lies in SandboxNodeVisitor, which enforces SecurityPolicy::checkMethodAllowed() for implicit __toString() calls by wrapping only a hardcoded, incomplete set of AST nodes in CheckToStringNode. Several Twig language constructs trigger PHP string coercion on Stringable operands without consulting the security policy, allowing a sandboxed template author to invoke __toString() on any object reachable in the render context even if that method is not allowlisted (GitHub Advisory). Confirmed bypass vectors include: conditional expressions (a ? b : c, a ?: b, a ?? b) as inputs to string-coercing filters; loose comparison and matches operators (==, !=, <, >, <=, >=, <=>) usable as byte-by-byte oracles; Twig tests such as is empty (which calls (string) $value in CoreExtension::testEmpty()); null-coalesce expressions in concatenation; arguments to allowed methods; template-name expressions in include/extends/use tags; dynamic attribute names; spread arguments from Traversable objects; and the do tag and .. range operator (Twig Security Advisory). The fix redesigns SandboxNodeVisitor to wrap every child node that the parent will string-coerce at runtime, introducing Twig\Node\CoercesChildrenToStringInterface and SandboxExtension::ensureSpreadAllowed() (Twig v3.26.0).

A sandboxed template author can call non-allowlisted __toString() methods on any object accessible in the render context, effectively escaping the sandbox's method access controls. Using comparison operators as an oracle, an attacker can recover the string representation of sensitive objects byte by byte without needing any allowlisted tag, filter, or function. This can lead to unauthorized disclosure of sensitive data held in render-context objects (e.g., credentials, tokens, internal state) and may enable further exploitation depending on what objects are exposed in the context (GitHub Advisory, Twig Security Advisory).

Upgrade twig/twig to version 3.26.0 or later, which comprehensively fixes all identified bypass vectors by redesigning how SandboxNodeVisitor wraps string-coercing nodes (Twig v3.26.0, GitHub Advisory). As an interim workaround prior to patching, audit all sandboxed templates in use to identify and remove constructs that could trigger unguarded string coercion, and restrict template authoring access to fully trusted users only. Additionally, minimize the objects exposed in the render context to only those strictly necessary for legitimate template operations, reducing the attack surface if exploitation is attempted.

The Symfony blog published an official advisory and release announcement for Twig 3.26.0 covering CVE-2026-47732 alongside multiple other sandbox bypass CVEs fixed in the same release (Symfony Blog). The vulnerability was discussed on the r/symfony subreddit shortly after disclosure. The issues were reported by Anthropic Glasswing and El Kharoubi Iosif, with fixes provided by Fabien Potencier (fabpot), the Twig project lead (GitHub Advisory). Debian Linux compatibility resources noted the need to update Twig as part of a broader set of critical CVE patches.