Changelog (v3.25.0...v3.26.0)
- security #cve-2026-46627 Document that the sandbox doesn't protect against resource exhaustion (@fabpot)
- security #cve-2026-46628 Pre-escape HTML input on the
spacelessfilter (@fabpot) - security #cve-2026-46634 Document template_from_string caveats when used in a sandboxed env (@fabpot)
- security #cve-2026-46635 Fix sandbox bypass in the "column" filter (@alexandre-daubois)
- security #cve-2026-47732 [Sandbox] Fix __toString() support (@fabpot)
- security #cve-2026-47730 [Profiler] Escape template and profile names in
HtmlDumper(@nicolas-grekas) - security #cve-2026-46640 Fix sandbox bypass: PHP code injection via _self / import macro reference (@alexandre-daubois, @fabpot)
- security #cve-2026-46638 Fix sandbox bypass in the
{ sandbox }tag when including a preloaded template (@alexandre-daubois) - security #cve-2026-46633 Fix sandbox bypass: PHP code injection via { use } template name (@alexandre-daubois, @fabpot)
- security #cve-2026-46629 Fix unbounded memoisation of
IntlDateFormatter/NumberFormatter(@alexandre-daubois) - security #cve-2026-46637 Fix XSS and pre-escape input on HTML-emitting filters in the extras (@nicolas-grekas)
- security #cve-2026-46639 Fix sandbox bypass in object destructuring assignment (@alexandre-daubois)
- security #cve-2026-24425 Fix sandbox bypass: propagate Source to checkArrow for source-policy sandboxing (@fabpot)