Auth bypass in Twigphp Twig

CVE-2026-47732

Twig is a template language for PHP. Prior to 3.26.0, several Twig language constructs trigger PHP string coercion on a Stringable operand without consulting SecurityPolicy::checkMethodAllowed(), allowing a sandboxed template author to inv…

Vulnerability class: Broken Access Control

Affected products

Weakness classification (CWE)

References