-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 26 May 2026 13:43:06 +0200 Source: php-twig Binary: php-twig php-twig-cache-extra php-twig-cssinliner-extra php-twig-doc php-twig-extra-bundle php-twig-html-extra php-twig-inky-extra php-twig-intl-extra php-twig-markdown-extra php-twig-string-extra Architecture: all Version: 3.26.0-0+deb13u1 Distribution: trixie-security Urgency: medium Maintainer: all Build Daemon (x86-csail-02) Changed-By: David Prévot Description: php-twig - Flexible, fast, and secure template engine for PHP php-twig-cache-extra - php-twig-cssinliner-extra - php-twig-doc - Twig template engine documentation php-twig-extra-bundle - php-twig-html-extra - php-twig-inky-extra - php-twig-intl-extra - php-twig-markdown-extra - php-twig-string-extra - Changes: php-twig (3.26.0-0+deb13u1) trixie-security; urgency=medium . [ Fabien Potencier ] * Fix sandbox bypass: propagate sandbox state to checkArrow for source-policy sandboxing [CVE-2026-24425] * Fix sandbox `__toString` bypasses [CVE-2026-47732] * Pre-escape HTML input on the `spaceless` filter [CVE-2026-46628] * Document template_from_string caveats when used in a sandboxed env [CVE-2026-46634] * Document that the sandbox doesn't protect against resource exhaustion [CVE-2026-46627] * Update CHANGELOG * Prepare the 3.26.0 release . [ Alexandre Daubois ] * Fix sandbox bypass in object destructuring assignment [CVE-2026-46639] * Fix unbounded memoisation of `IntlDateFormatter` / `NumberFormatter` [CVE-2026-46629] * Fix sandbox bypass: PHP code injection via {% use %} template name [CVE-2026-46633] * Fix sandbox bypass in the `{% sandbox %}` tag when including a preloaded template [CVE-2026-46638] * Fix sandbox bypass: PHP code injection via _self / import macro reference [CVE-2026-46640] * Fix sandbox bypass in the "column" filter [CVE-2026-46635] . [ Nicolas Grekas ] * Fix XSS by adjusting `is_safe` annotation on HTML-emitting filters [CVE-2026-46637] * Pre-escape HTML input on `inline_css` and `inky_to_html` filters * [Profiler] Escape template and profile names in HtmlDumper [CVE-2026-47730] . [ David Prévot ] * Track debian/trixie branch * Refresh patches * Make phpab tolerant * Update build for related path Checksums-Sha1: bde17e057848139f9a7f8909ac90e3806a581722 24852 php-twig-cache-extra_3.26.0-0+deb13u1_all.deb 256fa958733d85daac3d81b573e98d674f6805cc 24040 php-twig-cssinliner-extra_3.26.0-0+deb13u1_all.deb 4fec91f132c84370879d887f5350d8ce7281fab2 206096 php-twig-doc_3.26.0-0+deb13u1_all.deb 6fb6e1530f12b4944be6d9f67a5ebce5796f2020 27712 php-twig-extra-bundle_3.26.0-0+deb13u1_all.deb 00f9d130a5a5e9a816f3260b1feb5e4cc4664f51 28416 php-twig-html-extra_3.26.0-0+deb13u1_all.deb 70e4d2d63c9edb4b36485cf1916c262be41d3fea 23940 php-twig-inky-extra_3.26.0-0+deb13u1_all.deb 36fb3c0dfb929d443e1a20b638194f583335049a 27036 php-twig-intl-extra_3.26.0-0+deb13u1_all.deb dd7f740ae82309c003d7763b8e96879303cd476f 24968 php-twig-markdown-extra_3.26.0-0+deb13u1_all.deb 48a2c2a2a087db312d68d00cb357122a87ac9dae 24184 php-twig-string-extra_3.26.0-0+deb13u1_all.deb 1922327fb3fc42ffcb829fe2e27ac24bb4a682b2 13740 php-twig_3.26.0-0+deb13u1_all-buildd.buildinfo 1a10742ba63d2d95214b379b40eef3805e76b391 124168 php-twig_3.26.0-0+deb13u1_all.deb Checksums-Sha256: 1c207d7905db9b2537544cad4e3537e892c7b0b3cc001dafff481a10832f9788 24852 php-twig-cache-extra_3.26.0-0+deb13u1_all.deb b2e3b049306e2f28aa71a3907f6c3cddaf7c59968d4e109f17413ce48c389121 24040 php-twig-cssinliner-extra_3.26.0-0+deb13u1_all.deb 9b0f2a13e584ce5d1c71e45bbbff70a29420b799c0f7c911aa65d1b85e286ce7 206096 php-twig-doc_3.26.0-0+deb13u1_all.deb 7882e10ea3131a7eb3703a68fc46227e592e6158af4003a663ad31942a59026e 27712 php-twig-extra-bundle_3.26.0-0+deb13u1_all.deb eb4a68bb7b370478b76d0528ba145610e56810254a1e7f4e1ecfdb5b32c0e40a 28416 php-twig-html-extra_3.26.0-0+deb13u1_all.deb 42cb361ddc51308adbc00e277d78c29686ef5bddfddd9c67a9d4814e0ed6bcd9 23940 php-twig-inky-extra_3.26.0-0+deb13u1_all.deb ba83109d83150888857d53804b20dae4722e52771da8202c2deb6f99387a059d 27036 php-twig-intl-extra_3.26.0-0+deb13u1_all.deb b56a58a9fef76af1145368bb980bc64ca0f046786bacc1a105bd8ac128d45910 24968 php-twig-markdown-extra_3.26.0-0+deb13u1_all.deb c7b8a869b0d5f3277b060350ef2b4a83ee8ef21258a5809cfa86f8cabffba8e0 24184 php-twig-string-extra_3.26.0-0+deb13u1_all.deb 20b5c70dd1148105e1d90b74e4d6665671dddfffc99ca95334734d934af2f768 13740 php-twig_3.26.0-0+deb13u1_all-buildd.buildinfo 0981980d9ec8968b1d2cef8fad2afcba06cc124110f0c285b8b3d93c6da9ff2d 124168 php-twig_3.26.0-0+deb13u1_all.deb Files: 990d28297a251e015314c297ff5044c7 24852 php optional php-twig-cache-extra_3.26.0-0+deb13u1_all.deb 6293aff35cd81d6f1ce11b4d6a26722c 24040 php optional php-twig-cssinliner-extra_3.26.0-0+deb13u1_all.deb debfdf5e2deb2a324c1715957f12902a 206096 doc optional php-twig-doc_3.26.0-0+deb13u1_all.deb 6e76d8f23ec076148d495d4c0ee28bb3 27712 php optional php-twig-extra-bundle_3.26.0-0+deb13u1_all.deb 1b4032940042791850aec13f124bfef8 28416 php optional php-twig-html-extra_3.26.0-0+deb13u1_all.deb 320a2333913e0b421d8df4515e3cc639 23940 php optional php-twig-inky-extra_3.26.0-0+deb13u1_all.deb 60261b017df7de53c4a4c98d91804bd5 27036 php optional php-twig-intl-extra_3.26.0-0+deb13u1_all.deb 5791e8dd01826088c281ad2e0a47f01b 24968 php optional php-twig-markdown-extra_3.26.0-0+deb13u1_all.deb 35f246d79d5d5fea3103aa7270b5f6a8 24184 php optional php-twig-string-extra_3.26.0-0+deb13u1_all.deb 92abe2b92d37d7c3efcefefbc5a8c9f4 13740 php optional php-twig_3.26.0-0+deb13u1_all-buildd.buildinfo 54a1938cd44fc608edc854ec310117b0 124168 php optional php-twig_3.26.0-0+deb13u1_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXLxUpUHQBQBTDtd4aBVi67oXtfkFAmoWyaIACgkQaBVi67oX tfn+3g//d9C94V6vLKxcO6Yd4JWR3TV9sg0dRFbQJAtuIZL8VrdYm6rzuyh+Lb3e tyW09A5vA3443JsKoT9i+nVMFpEprWPf4USgssheI1GHEYZqh4J8fwUJr89Xzy0s Hj20RLVpbo/NtoyDcovCPIPqve+5oDA8Fwv2XI8i7Wjp3ezkBKCi7YXEx229KO/W VuFGVQXPMe8V1YcTygITXlPltPsavplzOCnxH3FtvZTQrl5Ndmcz3L8hzAWJtYyI t1DWcFh41HeCWBkj4vUq/fnUVDqhfp24i+DEwsr3oooEwwQT9zIUg+w8ykrhaOul uduHBVCZcVPBhYg8dtvPjjukl4ZOLFWPl6G+1pfC5Vd/esiC7PnPlStGEfHFP8Q6 Xv+C4+dE5cR/XPc0mlAnNYRepq/1ZqlX2yHzqCKFTF1i/lNXv4JjuCaW+cY5+LXo g/kWLWmPMn7nDesOQKGGDvHQO8XSgj5d2JqxvAhjMQCkLEdMbfEL9MoCymR9cmEp Oj9DxLtFsyX8yt4hPAJiMWDjGReArCVJRSXbj6AsVdonHY7fFyZYuswI4Zub4FDw XyRglzcZSk6mualjCUtGpvaIbLw0b4wnO5XQJm68T4AeQOM2GRTEx2NlGvbosXfU S3qZhekwy80/P3oRaUtZwa3tcC/iP9DrdasTBrDzfkk6XXfHMBY= =JO0Y -----END PGP SIGNATURE-----