CVE-2026-46629
Twig: Unbounded formatter memoisation in twig/intl-extra keyed on template-controlled arguments
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Twig is a template language for PHP. Prior to 3.26.0, twig/intl-extra memoises IntlDateFormatter and NumberFormatter instances in arrays keyed by template-controlled filter arguments such as locale, pattern, and attrs, allowing a template to allocate many ICU formatter objects that remain pinned for the lifetime of the Twig\Environment. This issue is fixed in version 3.26.0.
| CWE | CWE-770 |
| Vendor | twigphp |
| Product | twig |
| Published | Jul 14, 2026 |
| Last Updated | Jul 15, 2026 |
Stay Ahead of the Next One
Get instant alerts for twigphp twig
Be the first to know when new unknown vulnerabilities affecting twigphp twig are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
twigphp / Twig
< 3.26.0