AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-pr2w-4gpj-cpq4: Twig: Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points

highvulnerability

security

Source: GitHub Advisory DatabaseJune 5, 2026CVE-2026-47732

Summary

Twig's sandbox (a security feature that restricts what templates can do) had multiple vulnerabilities where certain language constructs could bypass security checks and call `__toString()` methods (special functions that convert objects to strings) on objects without permission. Attackers could exploit this through conditional expressions, comparison operators, tests, and several other Twig features to access object data that should have been blocked.

Solution / Mitigation

The sandbox was fixed by wrapping every child node that will be converted to a string at runtime. A new `Twig\Node\CoercesChildrenToStringInterface` allows nodes to declare which children need protection, core nodes now implement this interface, spread arguments are checked via `SandboxExtension::ensureSpreadAllowed()`, and dynamic attribute names are checked at runtime inside `CoreExtension::getAttribute()`.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

June 5, 2026

Classification

Attack SophisticationModerate

Affected Packages

twig/twig@<= 3.25.0 (fixed: 3.26.0)

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-pr2w-4gpj-cpq4

First tracked: June 5, 2026 at 08:00 PM

Classified by LLM (prompt v3) · confidence: 95%