๐Ÿ” CVE Alert

CVE-2026-46634

UNKNOWN 0.0

Twig: `template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name

CVSS Score
0.0
EPSS Score
0.3%
EPSS Percentile
25th

Twig is a template language for PHP. From 3.9.0 until 3.26.0, template_from_string() compiles an inner template under a synthesized __string_template__<hash> name that can fall outside a SourcePolicyInterface sandbox decision, allowing a sandboxed template that can call template_from_string and include to render an inner template without security policy enforcement. This issue is fixed in version 3.26.0.

CWE CWE-693
Vendor twigphp
Product twig
Published Jul 14, 2026
Last Updated Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for twigphp twig

Be the first to know when new unknown vulnerabilities affecting twigphp twig are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

twigphp / Twig
>= 3.9.0, < 3.26.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/twigphp/Twig/security/advisories/GHSA-24x9-r6q4-q93w github.com: https://github.com/twigphp/Twig/commit/1cde8f2b62463f85d47995fc25f8241cb409d915 github.com: https://github.com/twigphp/Twig/releases/tag/v3.26.0