Auth bypass in Twigphp Twig

CVE-2026-48806

Twig is a template language for PHP. Prior to 3.27.0, ArrayExpression does not guard dynamic mapping keys that are coerced to strings, allowing PHP to invoke __toString() on a Stringable object used as a mapping key without calling Sandbox…

Affected products

Weakness classification (CWE)

References