Debian Package Tracker
Register | Log in
Subscribe

php-twig

Flexible, fast, and secure template engine for PHP

Choose email to subscribe with

general
  • source: php-twig (main)
  • version: 3.27.1-1
  • maintainer: Debian PHP PEAR Maintainers (archive) (DMD)
  • uploaders: David Prévot [DMD] – Daniel Beyer [DMD]
  • arch: all
  • std-ver: 4.7.4
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 2.14.3-1+deb11u2
  • o-o-sec: 2.14.3-1+deb11u4
  • oldstable: 3.5.1-1+deb12u3
  • old-sec: 3.5.1-1+deb12u3
  • old-p-u: 3.5.1-1+deb12u3
  • stable: 3.27.0-0+deb13u1
  • stable-sec: 3.27.0-0+deb13u1
  • testing: 3.27.1-1
  • unstable: 3.27.1-1
  • exp: 4.0.0~alpha1-1
versioned links
  • 2.14.3-1+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.14.3-1+deb11u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 3.5.1-1+deb12u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 3.27.0-0+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 3.27.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 4.0.0~alpha1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • php-twig
  • php-twig-cache-extra
  • php-twig-cssinliner-extra
  • php-twig-doc
  • php-twig-extra-bundle
  • php-twig-html-extra
  • php-twig-inky-extra
  • php-twig-intl-extra
  • php-twig-markdown-extra
  • php-twig-string-extra
action needed
Marked for autoremoval on 17 August due to erlang: #1141414 high
Version 3.27.1-1 of php-twig is marked for autoremoval from testing on Mon 17 Aug 2026. It depends (transitively) on erlang, affected by #1141414. You should try to prevent the removal by fixing these RC bugs.
Created: 2026-06-28 Last update: 2026-07-18 04:48
A new upstream version is available: 4.0.0-alpha1 high
A new upstream version 4.0.0-alpha1 is available, you should consider packaging it.
Created: 2026-05-28 Last update: 2026-07-18 02:01
12 security issues in bullseye high

There are 12 open security issues in bullseye.

10 important issues:
  • CVE-2026-46628: Twig is a template language for PHP. Prior to 3.26.0, the deprecated spaceless filter is registered as safe for HTML, causing Twig autoescaping to emit attacker-controlled markup unescaped when spaceless is applied to untrusted input. This issue is fixed in version 3.26.0.
  • CVE-2026-46629: Twig is a template language for PHP. Prior to 3.26.0, twig/intl-extra memoises IntlDateFormatter and NumberFormatter instances in arrays keyed by template-controlled filter arguments such as locale, pattern, and attrs, allowing a template to allocate many ICU formatter objects that remain pinned for the lifetime of the Twig\Environment. This issue is fixed in version 3.26.0.
  • CVE-2026-46633: Twig is a template language for PHP. Prior to 3.26.0, Compiler::string() does not escape single quotes when a template name from a {% use %} tag is placed inside a PHP single-quoted string literal, allowing a crafted template name to terminate the string and inject arbitrary PHP expressions into the compiled cache file. This issue is fixed in version 3.26.0.
  • CVE-2026-46635: Twig is a template language for PHP. Prior to 3.26.0, the column filter passes object arrays to PHP array_column(), which reads public and magic properties without reaching CoreExtension::getAttribute() or SandboxExtension::checkPropertyAllowed(), allowing an untrusted template author with column in allowedFilters to read properties that are not in the sandbox allowlist. This issue is fixed in version 3.26.0.
  • CVE-2026-46636:
  • CVE-2026-46637: Twig is a template language for PHP. Prior to 3.26.0, several filters in twig/markdown-extra and twig/cssinliner-extra are registered with is_safe => [all], causing Twig to treat plain text or HTML output as safe in HTML, JavaScript, CSS, URL, and other contexts where the output is not properly escaped. This issue is fixed in version 3.26.0.
  • CVE-2026-46638: Twig is a template language for PHP. Prior to 3.26.0, {% sandbox %}{% include %} can include a template that was previously loaded outside the sandbox without re-invoking checkSecurity(), allowing the cached template to use tags, filters, and functions that should have been denied by SecurityPolicy::checkSecurity(). This issue is fixed in version 3.26.0.
  • CVE-2026-47732: Twig is a template language for PHP. Prior to 3.26.0, several Twig language constructs trigger PHP string coercion on a Stringable operand without consulting SecurityPolicy::checkMethodAllowed(), allowing a sandboxed template author to invoke __toString() on objects reachable in the render context through conditional expressions, comparison operators, tests, template-loading tags, dynamic attribute names, spread arguments, the do tag, and the .. range operator. This issue is fixed in version 3.26.0.
  • CVE-2026-48805: Twig is a template language for PHP. Prior to 3.27.0, deprecated internal wrappers in src/Resources/core.php do not forward the current sandbox state to CoreExtension::checkArrow(), arraySome(), and arrayEvery(), allowing legacy calls such as twig_array_some(), twig_array_every(), and twig_check_arrow_in_sandbox() to bypass sandbox callable restrictions. This issue is fixed in version 3.27.0.
  • CVE-2026-49981: Twig is a template language for PHP. Prior to 3.27.0, the per-template filter, tag, and function allow-list verdict is computed when a Template instance is constructed and can remain cached after sandbox state changes between renders, allowing a later sandboxed render to reuse a template that was originally checked with a different or empty policy. This issue is fixed in version 3.27.0.
2 ignored issues:
  • CVE-2024-51755: Twig is a template language for PHP. In a sandbox, an attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property policy and the `__isset()` method is now called after the security check. This is a BC break. This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.
  • CVE-2025-24374: Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0.
Created: 2026-05-21 Last update: 2026-07-15 22:00
lintian reports 1 error and 3 warnings high
Lintian reports 1 error and 3 warnings about this package. You should make the package lintian clean getting rid of them.
Created: 2026-05-31 Last update: 2026-05-31 15:01
8 low-priority security issues in bookworm low

There are 8 open security issues in bookworm.

2 issues left for the package maintainer to handle:
  • CVE-2024-51755: (needs triaging) Twig is a template language for PHP. In a sandbox, an attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property policy and the `__isset()` method is now called after the security check. This is a BC break. This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.
  • CVE-2025-24374: (needs triaging) Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0.

You can find information about how to handle these issues in the security team's documentation.

6 ignored issues:
  • CVE-2026-46635: Twig is a template language for PHP. Prior to 3.26.0, the column filter passes object arrays to PHP array_column(), which reads public and magic properties without reaching CoreExtension::getAttribute() or SandboxExtension::checkPropertyAllowed(), allowing an untrusted template author with column in allowedFilters to read properties that are not in the sandbox allowlist. This issue is fixed in version 3.26.0.
  • CVE-2026-46636:
  • CVE-2026-46638: Twig is a template language for PHP. Prior to 3.26.0, {% sandbox %}{% include %} can include a template that was previously loaded outside the sandbox without re-invoking checkSecurity(), allowing the cached template to use tags, filters, and functions that should have been denied by SecurityPolicy::checkSecurity(). This issue is fixed in version 3.26.0.
  • CVE-2026-47732: Twig is a template language for PHP. Prior to 3.26.0, several Twig language constructs trigger PHP string coercion on a Stringable operand without consulting SecurityPolicy::checkMethodAllowed(), allowing a sandboxed template author to invoke __toString() on objects reachable in the render context through conditional expressions, comparison operators, tests, template-loading tags, dynamic attribute names, spread arguments, the do tag, and the .. range operator. This issue is fixed in version 3.26.0.
  • CVE-2026-48805: Twig is a template language for PHP. Prior to 3.27.0, deprecated internal wrappers in src/Resources/core.php do not forward the current sandbox state to CoreExtension::checkArrow(), arraySome(), and arrayEvery(), allowing legacy calls such as twig_array_some(), twig_array_every(), and twig_check_arrow_in_sandbox() to bypass sandbox callable restrictions. This issue is fixed in version 3.27.0.
  • CVE-2026-49981: Twig is a template language for PHP. Prior to 3.27.0, the per-template filter, tag, and function allow-list verdict is computed when a Template instance is constructed and can remain cached after sandbox state changes between renders, allowing a later sandboxed render to reuse a template that was originally checked with a different or empty policy. This issue is fixed in version 3.27.0.
Created: 2024-11-07 Last update: 2026-07-15 22:00
debian/patches: 10 patches to forward upstream low

Among the 10 debian patches available in version 3.27.1-1 of the package, we noticed the following issues:

  • 10 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.
Created: 2023-02-26 Last update: 2026-05-31 17:17
news
[rss feed]
  • [2026-06-03] php-twig 3.27.1-1 MIGRATED to testing (Debian testing watch)
  • [2026-06-02] Accepted php-twig 3.5.1-1+deb12u3 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: David Prévot)
  • [2026-06-02] Accepted php-twig 3.5.1-1+deb12u2 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: David Prévot)
  • [2026-06-02] Accepted php-twig 3.5.1-1+deb12u2 (source) into oldstable-security (Debian FTP Masters) (signed by: David Prévot)
  • [2026-06-02] Accepted php-twig 3.5.1-1+deb12u3 (source) into oldstable-security (Debian FTP Masters) (signed by: David Prévot)
  • [2026-06-02] Accepted php-twig 4.0.0~alpha1-1 (source) into experimental (David Prévot)
  • [2026-05-31] Accepted php-twig 3.27.1-1 (source) into unstable (David Prévot)
  • [2026-05-30] Accepted php-twig 3.27.0-0+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: David Prévot)
  • [2026-05-30] Accepted php-twig 3.26.0-0+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: David Prévot)
  • [2026-05-30] php-twig 3.27.0-1 MIGRATED to testing (Debian testing watch)
  • [2026-05-29] Accepted php-twig 3.26.0-0+deb13u1 (source) into stable-security (Debian FTP Masters) (signed by: David Prévot)
  • [2026-05-29] Accepted php-twig 3.27.0-0+deb13u1 (source) into stable-security (Debian FTP Masters) (signed by: David Prévot)
  • [2026-05-28] php-twig 3.26.0-1 MIGRATED to testing (Debian testing watch)
  • [2026-05-27] Accepted php-twig 3.27.0-1 (source) into unstable (David Prévot)
  • [2026-05-21] Accepted php-twig 3.26.0-1 (source) into unstable (David Prévot)
  • [2026-05-11] php-twig REMOVED from testing (Debian testing watch)
  • [2026-03-22] php-twig 3.24.0-1 MIGRATED to testing (Debian testing watch)
  • [2026-03-20] Accepted php-twig 3.24.0-1 (source) into unstable (David Prévot)
  • [2026-02-10] php-twig 3.23.0-2 MIGRATED to testing (Debian testing watch)
  • [2026-02-07] Accepted php-twig 3.23.0-2 (source) into unstable (David Prévot)
  • [2026-01-27] php-twig 3.23.0-1 MIGRATED to testing (Debian testing watch)
  • [2026-01-25] Accepted php-twig 3.23.0-1 (source) into unstable (David Prévot)
  • [2025-12-18] php-twig 3.22.2-2 MIGRATED to testing (Debian testing watch)
  • [2025-12-15] Accepted php-twig 3.22.2-2 (source) into unstable (David Prévot)
  • [2025-12-15] Accepted php-twig 3.22.2-1 (source all) into unstable (David Prévot)
  • [2025-12-08] php-twig 3.22.1-3 MIGRATED to testing (Debian testing watch)
  • [2025-12-05] Accepted php-twig 3.22.1-3 (source) into unstable (David Prévot)
  • [2025-11-20] php-twig 3.22.1-2 MIGRATED to testing (Debian testing watch)
  • [2025-11-17] Accepted php-twig 3.22.1-2 (source) into unstable (David Prévot)
  • [2025-11-17] Accepted php-twig 3.22.1-1 (source all) into unstable (David Prévot)
  • 1
  • 2
bugs [bug history graph]
  • all: 0
links
  • homepage
  • lintian (1, 3)
  • buildd: logs, exp, reproducibility
  • popcon
  • browse source code
  • other distros
  • security tracker
  • debian patches
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 3.23.0-2build7

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing