Search CVE reports


Toggle filters

51 – 60 of 43937 results

Status is adjusted based on your filters.


CVE-2026-46639

Medium priority
Needs evaluation

Twig is a template language for PHP. From 3.24.0 until 3.26.0, object-destructuring assignment compiles CoreExtension::getAttribute() with the sandbox argument hardcoded to false, disabling property and method policy checks and...

1 affected package

php-twig

Package 22.04 LTS
php-twig Needs evaluation
Show less packages

CVE-2026-46638

Medium priority
Needs evaluation

Twig is a template language for PHP. Prior to 3.26.0, {% sandbox %}{% include %} can include a template that was previously loaded outside the sandbox without re-invoking checkSecurity(), allowing the cached template to use tags,...

1 affected package

php-twig

Package 22.04 LTS
php-twig Needs evaluation
Show less packages

CVE-2026-46637

Medium priority
Needs evaluation

Twig is a template language for PHP. Prior to 3.26.0, several filters in twig/markdown-extra and twig/cssinliner-extra are registered with is_safe => [all], causing Twig to treat plain text or HTML output as safe in...

1 affected package

php-twig

Package 22.04 LTS
php-twig Needs evaluation
Show less packages

CVE-2026-46635

Medium priority
Needs evaluation

Twig is a template language for PHP. Prior to 3.26.0, the column filter passes object arrays to PHP array_column(), which reads public and magic properties without reaching CoreExtension::getAttribute()...

1 affected package

php-twig

Package 22.04 LTS
php-twig Needs evaluation
Show less packages

CVE-2026-46634

Medium priority
Needs evaluation

Twig is a template language for PHP. From 3.9.0 until 3.26.0, template_from_string() compiles an inner template under a synthesized __string_template__<hash> name that can fall outside a SourcePolicyInterface sandbox decision,...

1 affected package

php-twig

Package 22.04 LTS
php-twig Needs evaluation
Show less packages

CVE-2026-46633

Medium priority
Needs evaluation

Twig is a template language for PHP. Prior to 3.26.0, Compiler::string() does not escape single quotes when a template name from a {% use %} tag is placed inside a PHP single-quoted string literal, allowing a crafted template name...

1 affected package

php-twig

Package 22.04 LTS
php-twig Needs evaluation
Show less packages

CVE-2026-46629

Medium priority
Needs evaluation

Twig is a template language for PHP. Prior to 3.26.0, twig/intl-extra memoises IntlDateFormatter and NumberFormatter instances in arrays keyed by template-controlled filter arguments such as locale, pattern, and attrs, allowing a...

1 affected package

php-twig

Package 22.04 LTS
php-twig Needs evaluation
Show less packages

CVE-2026-46628

Medium priority
Needs evaluation

Twig is a template language for PHP. Prior to 3.26.0, the deprecated spaceless filter is registered as safe for HTML, causing Twig autoescaping to emit attacker-controlled markup unescaped when spaceless is applied to untrusted...

1 affected package

php-twig

Package 22.04 LTS
php-twig Needs evaluation
Show less packages

CVE-2026-46627

Medium priority
Needs evaluation

Twig is a template language for PHP. Prior to 3.26.0, the Twig sandbox does not prevent a template from consuming CPU, memory, or wall-clock time, even under the strictest allow-list, allowing untrusted templates to cause resource...

1 affected package

php-twig

Package 22.04 LTS
php-twig Needs evaluation
Show less packages

CVE-2026-45363

Medium priority
Needs evaluation

ruby-jwt is a Ruby implementation of the RFC 7519 OAuth JSON Web Token standard. Prior to 2.10.3 and 3.2.0, JWT.decode(token, '', true, algorithm: 'HS256') accepts an attacker-forged token because OpenSSL::HMAC.digest('SHA256',...

1 affected package

ruby-jwt

Package 22.04 LTS
ruby-jwt Needs evaluation
Show less packages