Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <>
Subject: Accepted php-twig 3.26.0-0+deb13u1 (source) into stable-security
Date: Fri, 29 May 2026 18:19:59 +0000
Signed by: David Prévot <taffit@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 26 May 2026 13:43:06 +0200
Source: php-twig
Architecture: source
Version: 3.26.0-0+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
Changed-By: David Prévot <taffit@debian.org>
Changes:
 php-twig (3.26.0-0+deb13u1) trixie-security; urgency=medium
 .
   [ Fabien Potencier ]
   * Fix sandbox bypass: propagate sandbox state to checkArrow for source-policy
     sandboxing [CVE-2026-24425]
   * Fix sandbox `__toString` bypasses [CVE-2026-47732]
   * Pre-escape HTML input on the `spaceless` filter [CVE-2026-46628]
   * Document template_from_string caveats when used in a sandboxed env
     [CVE-2026-46634]
   * Document that the sandbox doesn't protect against resource exhaustion
     [CVE-2026-46627]
   * Update CHANGELOG
   * Prepare the 3.26.0 release
 .
   [ Alexandre Daubois ]
   * Fix sandbox bypass in object destructuring assignment [CVE-2026-46639]
   * Fix unbounded memoisation of `IntlDateFormatter` / `NumberFormatter`
     [CVE-2026-46629]
   * Fix sandbox bypass: PHP code injection via {% use %} template name
     [CVE-2026-46633]
   * Fix sandbox bypass in the `{% sandbox %}` tag when including a preloaded
     template [CVE-2026-46638]
   * Fix sandbox bypass: PHP code injection via _self / import macro reference
     [CVE-2026-46640]
   * Fix sandbox bypass in the "column" filter [CVE-2026-46635]
 .
   [ Nicolas Grekas ]
   * Fix XSS by adjusting `is_safe` annotation on HTML-emitting filters
     [CVE-2026-46637]
   * Pre-escape HTML input on `inline_css` and `inky_to_html` filters
   * [Profiler] Escape template and profile names in HtmlDumper [CVE-2026-47730]
 .
   [ David Prévot ]
   * Track debian/trixie branch
   * Refresh patches
   * Make phpab tolerant
   * Update build for related path
Checksums-Sha1:
 d52b98609c77ecf69345026e0909c36322755c46 2943 php-twig_3.26.0-0+deb13u1.dsc
 6cd8f89400cde9ed7cc3f81117268ae34fada278 288376 php-twig_3.26.0.orig.tar.xz
 894ab5abd008c96ce1c6fd12a66779fefd11c7cc 32084 php-twig_3.26.0-0+deb13u1.debian.tar.xz
 dacb83629892cdb0b97588f440e852b9b1491c9e 13673 php-twig_3.26.0-0+deb13u1_amd64.buildinfo
Checksums-Sha256:
 47d313ffea0b06a07cca4a8295d4be5b2b95f19a884a08a228c542a3abe5325f 2943 php-twig_3.26.0-0+deb13u1.dsc
 27ebc728697a9dced0566d9a48241925f162c363ae53b0403834501eeab89022 288376 php-twig_3.26.0.orig.tar.xz
 360b00cc90235d14300fee9ff4f5ce430c5562bcaa0105f6a19354e2175b0135 32084 php-twig_3.26.0-0+deb13u1.debian.tar.xz
 5ff91c29033cd74c655a62f956046b4546383c3d5b5ae441bd01669464406e95 13673 php-twig_3.26.0-0+deb13u1_amd64.buildinfo
Files:
 d2140137cd5eb6e1a2214b406db55e04 2943 php optional php-twig_3.26.0-0+deb13u1.dsc
 7abc94787ed54cc96c3f91ece4b7a473 288376 php optional php-twig_3.26.0.orig.tar.xz
 cf30df8d941e0b78a2c5230fd74955e1 32084 php optional php-twig_3.26.0-0+deb13u1.debian.tar.xz
 71122998fac9086dc840be3fc675410d 13673 php optional php-twig_3.26.0-0+deb13u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQFGBAEBCgAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmoWw2ISHHRhZmZpdEBk
ZWJpYW4ub3JnAAoJEAWMHPlE9r08wDkH/A/R+57zn9HpYd2L3aNuHURlPEZMC4bg
Nv8NH3bzbcsROCvdHDwFwEovv+HKcY8LBxKLQ+nt3ocnjkAFYEa5Zu+ZFHljMPWg
YtI9iHbcCwC3IdQDFhfpnZQP8B9HjcTyAi/zsHbJIO3l+MASiXvjQoijJwDheX33
r4+YTSm/BuCD6DftSTikcRlfBSPrBORmYyJDsPmvixaVj+0cfgxZ3080BoRd/8ln
8y6yvdRGSIgZgTpdOiDq6COquO8daCQzaWYoV2VKMhlQuMsp8Pe4DIniR+CoHfYk
L6bs1N2r12ivma9NlSoogiyZnsuYao3FlWRquCwuQ3TAqlMTZvkA3WU=
=L/+J
-----END PGP SIGNATURE-----
News for package php-twig
