[SECURITY] [DSA 6311-1] php-twig security update

To: debian-security-announce@lists.debian.org
Subject: [SECURITY] [DSA 6311-1] php-twig security update
From: Moritz Muehlenhoff <jmm@debian.org>
Date: Fri, 29 May 2026 18:34:20 +0000
Message-id: <[🔎] ahncLHeBKDUfnOBL@seger.debian.org>
Reply-to: debian-security-announce-request@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6311-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 29, 2026                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : php-twig
CVE ID         : CVE-2026-24425 CVE-2026-46627 CVE-2026-46628 CVE-2026-46629 
                 CVE-2026-46633 CVE-2026-46634 CVE-2026-46635 CVE-2026-46636 
                 CVE-2026-46637 CVE-2026-46638 CVE-2026-46640 CVE-2026-47730 
                 CVE-2026-47732 CVE-2026-48805

Multiple security vulnerabilities were discovered in Twig, a template
engine for PHP, which could result in PHP code injection, sandbox bypass
or cross-site scripting.

For the stable distribution (trixie), these problems have been fixed in
version 3.27.0-0+deb13u1.

We recommend that you upgrade your php-twig packages.

For the detailed security status of php-twig please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php-twig

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmoZ2OYACgkQEMKTtsN8
TjZZpQ//RL6C/Uyft9psxLNzRzMZlZR1UmEl/gbuzUWWWqIiiMz0SJv1CXe1fKkB
G3hOv56uP/bTQBxQRLOPnci5n02jIHocNFaWtyAEYKGdbxI/uFDUUHV7og90NTnZ
FW9IPFrzujmrRs9hd3yIMGCEUfze+5t51ehCY01a65cYV9mEEMaiuewFuD2+8jNF
CWdbbReid5cmKL9Rb7pikvX1tvVbRX70AVfTF3ajkcoBLcJ+zCl8V0d0zE2ROt0Y
blxfNlxs660RmiZrADxq8wwoDYlH2Q9Y+uNZE+pVdsvDFXT6f8W+4mKdTaWGnsz5
Cqrvl3M5eTkBQeXWUbc7qabYp93zbsBSTig3bF0c40BFMh2VdWZyVZUKm6pGF1iw
oeM3+zEPOAGpbzVd0LAtRlGsqj3sWcTl+NqW01/Crbs94SZizib7Bd0qPeAdfogE
kJNThXwkYqcBweaZ3AEWgIMnisQiO4ASwrkDtDu6ka9yKSklbNqcHKUv6cUa4B0K
xN0d7OYtjB5dL7DmBglN5Az2jC6nTFCtxzsuql8qWLj3gwQLuVLkbJjUjTJ/JqZ1
H/toW5w5KzotIqZ9XJJGup7qK3soU4JzgtqIaOKxLrw/nP2O8uHiVMg19BjoHhXN
hQvNOFR9Iwgz1Wp3Qoflh7mEtFVm0THrZS6J9RrFxUORlQSunFs=
=zhXV
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DSA 6310-1] imagemagick security update
Next by Date: [SECURITY] [DSA 6312-1] symfony security update
Previous by thread: [SECURITY] [DSA 6310-1] imagemagick security update
Next by thread: [SECURITY] [DSA 6312-1] symfony security update
Index(es):
- Date
- Thread