build(deps): bump twig/twig from 3.25.0 to 3.26.0

[dependabot]

Bumps twig/twig from 3.25.0 to 3.26.0.

Release notes

Sourced from twig/twig's releases.

v3.26.0

Changelog (twigphp/Twig@v3.25.0...v3.26.0)

• security #cve-2026-46627 Document that the sandbox doesn't protect against resource exhaustion (@​fabpot)
• security #cve-2026-46628 Pre-escape HTML input on the spaceless filter (@​fabpot)
• security #cve-2026-46634 Document template_from_string caveats when used in a sandboxed env (@​fabpot)
• security #cve-2026-46635 Fix sandbox bypass in the "column" filter (@​alexandre-daubois)
• security #cve-2026-47732 [Sandbox] Fix __toString() support (@​fabpot)
• security #cve-2026-47730 [Profiler] Escape template and profile names in HtmlDumper (@​nicolas-grekas)
• security #cve-2026-46640 Fix sandbox bypass: PHP code injection via _self / import macro reference (@​alexandre-daubois, @​fabpot)
• security #cve-2026-46638 Fix sandbox bypass in the { sandbox } tag when including a preloaded template (@​alexandre-daubois)
• security #cve-2026-46633 Fix sandbox bypass: PHP code injection via { use } template name (@​alexandre-daubois, @​fabpot)
• security #cve-2026-46629 Fix unbounded memoisation of IntlDateFormatter / NumberFormatter (@​alexandre-daubois)
• security #cve-2026-46637 Fix XSS and pre-escape input on HTML-emitting filters in the extras (@​nicolas-grekas)
• security #cve-2026-46639 Fix sandbox bypass in object destructuring assignment (@​alexandre-daubois)
• security #cve-2026-24425 Fix sandbox bypass: propagate Source to checkArrow for source-policy sandboxing (@​fabpot)

Changelog

Sourced from twig/twig's changelog.

3.26.0 (2026-05-20)

• Document that the sandbox doesn't protect against resource exhaustion
• Document template_from_string caveats when used in a sandboxed environment
• Add docs on Markup about the goal of this class in the context of a sandbox
• Pre-escape HTML input on the spaceless filter
• Pre-escape HTML input on inline_css and inky_to_html filters
• Fix XSS by adjusting is_safe annotation on HTML-emitting filters
• [Profiler] Escape template and profile names in HtmlDumper
• Fix unbounded memoisation of IntlDateFormatter / NumberFormatter
• Fix sandbox bypass in the "column" filter
• Fix sandbox bypass in the {% sandbox %} tag when including a preloaded template
• Fix sandbox bypass: PHP code injection via {% use %} template name
• Fix sandbox bypass: PHP code injection via _self / import macro reference
• Fix sandbox bypass in object destructuring assignment
• Fix sandbox bypass: propagate Source to checkArrow for source-policy sandboxing
• Encode single quotes as \x27 in Compiler::string() as a defense-in-depth measure
• Fix sandbox __toString bypasses
• Add Twig\Node\CoercesChildrenToStringInterface to let nodes declare which of their child nodes will be string-coerced at runtime so the sandbox wraps them with a __toString check

Commits

• 1fcae48 Prepare the 3.26.0 release
• 40d4f8a Update CHANGELOG
• 116dae2 security #cve-2026-46627 Document that the sandbox doesn't protect against re...
• 6bfa285 Document that the sandbox doesn't protect against resource exhaustion
• 7923de1 security #cve-2026-46628 Pre-escape HTML input on the spaceless filter (fab...
• 47ca88d security #cve-2026-46634 Document template_from_string caveats when used in a...
• 1cde8f2 Document template_from_string caveats when used in a sandboxed env
• 3190b9a Pre-escape HTML input on the spaceless filter
• b9e6e65 Add docs on Markup about the goal of this class in the context of a sandbox
• 673f02c security #cve-2026-46635 Fix sandbox bypass in the "column" filter (alexandre...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)