Twig Sandbox Bypass (CVE-2026-24425) Allows Arbitrary Code Execution

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-693
Twig Sandbox Bypass (CVE-2026-24425) Allows Arbitrary Code Execution

The National Vulnerability Database reports a critical sandbox bypass vulnerability, CVE-2026-24425, affecting Twig versions 2.16.x and 3.9.0 through 3.25.x. This flaw allows attackers with template rendering capabilities to inject arbitrary PHP callables into sort, filter, map, and reduce filters. The root cause is a runtime check failing to properly utilize the current template source, enabling a bypass of sandbox restrictions when the sandbox is enabled via a source policy rather than globally.

This isn’t just a theoretical bypass; it’s a direct path to arbitrary code execution. The high CVSS score of 8.8 reflects the severity: an attacker with low privileges (PR:L) can achieve full confidentiality, integrity, and availability impact (C:H/I:H/A:H) over the affected system. The critical aspect here is the SourcePolicyInterface context – many organizations rely on granular source policies for security, assuming a global sandbox is too restrictive.

Defenders need to understand the attacker’s calculus: if they can gain template rendering access, even with a supposedly sandboxed environment, this vulnerability provides an immediate escalation path. It’s a classic example of how security controls, when not implemented or evaluated rigorously, can create a false sense of security. Patching is non-negotiable for anyone running vulnerable Twig versions.

What This Means For You

  • If your organization uses Twig, specifically versions 2.16.x or 3.9.0 through 3.25.x, you are directly exposed to arbitrary code execution. Prioritize patching immediately. Review your Twig sandbox configurations; relying solely on a `SourcePolicyInterface` for sandbox enforcement is insufficient against this threat.

Indicators of Compromise

IDTypeIndicator
CVE-2026-24425 RCE Twig versions 2.16.x
CVE-2026-24425 RCE Twig versions 3.9.0 through 3.25.x
CVE-2026-24425 Sandbox Bypass SourcePolicyInterface allows arbitrary PHP callables to sort, filter, map, and reduce filters
CVE-2026-24425 Code Injection Runtime check fails to use current template source to bypass sandbox restrictions

Written by SCW Vulnerability Desk

🔎
Track Critical Vulnerabilities Use /brief to get an analyst-ready weekly threat summary with severity rankings and key IOCs for vulnerabilities like CVE-2026-24425.
Open Intel Bot →
Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 20, 2026 at 17:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-20240 — Denial of Service

CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-20
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data

CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...

vulnerabilityCVEhigh-severitycwe-532
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs /⚙ 4 Sigma

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...

vulnerabilityCVEmedium-severitycwe-863
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma