vulnerabilities in composer dependencies

ugh, composer.

There are 16 composer security advisories affecting our repositories.

swiftmailer/swiftmailer (CVE-2024-28859)

Deserialization Gadget chain in Swift Mailer

Affected repositories (1)

• mediawiki/extensions/SwiftMailer

twig/twig (CVE-2026-24425)

Possible sandbox bypass when using a source policy

Affected repositories (1)

• mediawiki/extensions/ContactManager

twig/twig (CVE-2026-46627)

Sandbox does not protect against resource exhaustion

Affected repositories (1)

• mediawiki/extensions/ContactManager

twig/twig (CVE-2026-46628)

The `spaceless` filter implicitly marks its output as safe

Affected repositories (1)

• mediawiki/extensions/ContactManager

twig/twig (CVE-2026-46633)

PHP code injection via `{% use %}` template name

Affected repositories (1)

• mediawiki/extensions/ContactManager

twig/twig (CVE-2026-46634)

`template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name

Affected repositories (1)

• mediawiki/extensions/ContactManager

twig/twig (CVE-2026-46635)

Sandbox property allowlist bypass via the `column` filter (array_column on objects)

Affected repositories (1)

• mediawiki/extensions/ContactManager

twig/twig (CVE-2026-46636)

Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders

Affected repositories (1)

• mediawiki/extensions/ContactManager

twig/twig (CVE-2026-46638)

`{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomplete fix for CVE-2024-45411)

Affected repositories (1)

• mediawiki/extensions/ContactManager

twig/twig (CVE-2026-47730)

XSS in profiler HtmlDumper via unescaped template and profile names

Affected repositories (1)

• mediawiki/extensions/ContactManager

twig/twig (CVE-2026-47732)

Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points

Affected repositories (1)

• mediawiki/extensions/ContactManager

twig/twig (CVE-2026-48805)

Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php`

Affected repositories (1)

• mediawiki/extensions/ContactManager

twig/twig (CVE-2026-48806)

Sandbox `__toString()` policy bypass via dynamic mapping keys

Affected repositories (1)

• mediawiki/extensions/ContactManager

twig/twig (CVE-2026-48807)

Sandbox `__toString()` policy bypass via `Traversable` in `join`/`replace` and `in`/`not in` operators

Affected repositories (1)

• mediawiki/extensions/ContactManager

twig/twig (CVE-2026-48808)

Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface`

Affected repositories (1)

• mediawiki/extensions/ContactManager

symfony/cache (CVE-2026-45073)

CVE-2026-45073: SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix

Affected repositories (1)

• mediawiki/skins/Aether

Source code is licensed under the AGPL.