๐Ÿ” CVE Alert

CVE-2026-46633

UNKNOWN 0.0

Twig: PHP code injection via `{% use %}` template name

CVSS Score
0.0
EPSS Score
0.5%
EPSS Percentile
41th

Twig is a template language for PHP. Prior to 3.26.0, Compiler::string() does not escape single quotes when a template name from a {% use %} tag is placed inside a PHP single-quoted string literal, allowing a crafted template name to terminate the string and inject arbitrary PHP expressions into the compiled cache file. This issue is fixed in version 3.26.0.

CWE CWE-94
Vendor twigphp
Product twig
Published Jul 14, 2026
Last Updated Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for twigphp twig

Be the first to know when new unknown vulnerabilities affecting twigphp twig are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

twigphp / Twig
< 3.26.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/twigphp/Twig/security/advisories/GHSA-7p85-w9px-jpjp github.com: https://github.com/twigphp/Twig/commit/679447fa29083043665482ccf7d64372472621b8 github.com: https://github.com/twigphp/Twig/commit/e9ff55f6910832428e48a35b2e0748189ad49ae3 github.com: https://github.com/twigphp/Twig/releases/tag/v3.26.0