Vulnerabilities
Vulnerable Software

Vulnerability Details CVE-2026-47732

Twig is a template language for PHP. Prior to 3.26.0, several Twig language constructs trigger PHP string coercion on a Stringable operand without consulting SecurityPolicy::checkMethodAllowed(), allowing a sandboxed template author to invoke __toString() on objects reachable in the render context through conditional expressions, comparison operators, tests, template-loading tags, dynamic attribute names, spread arguments, the do tag, and the .. range operator. This issue is fixed in version 3.26.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 29.3%
CVSS Severity


Contact Us

Shodan ® - All rights reserved