๐Ÿ” CVE Alert

CVE-2026-46627

UNKNOWN 0.0

Twig: Sandbox resource exhaustion via unbounded `for` / `range()`

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Twig is a template language for PHP. Prior to 3.26.0, the Twig sandbox does not prevent a template from consuming CPU, memory, or wall-clock time, even under the strictest allow-list, allowing untrusted templates to cause resource exhaustion. This issue is addressed in version 3.26.0 by documenting that the sandbox does not protect against resource exhaustion.

CWE CWE-400
Vendor twigphp
Product twig
Published Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for twigphp twig

Be the first to know when new unknown vulnerabilities affecting twigphp twig are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

twigphp / Twig
< 3.26.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/twigphp/Twig/security/advisories/GHSA-923g-j88x-j34q github.com: https://github.com/twigphp/Twig/commit/6bfa285e2f98651adb7aa480bf83a741d154f09f github.com: https://github.com/twigphp/Twig/releases/tag/v3.26.0