๐Ÿ” CVE Alert

CVE-2026-46638

UNKNOWN 0.0

Twig: `{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomplete fix for CVE-2024-45411)

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Twig is a template language for PHP. Prior to 3.26.0, {% sandbox %}{% include %} can include a template that was previously loaded outside the sandbox without re-invoking checkSecurity(), allowing the cached template to use tags, filters, and functions that should have been denied by SecurityPolicy::checkSecurity(). This issue is fixed in version 3.26.0.

CWE CWE-693
Vendor twigphp
Product twig
Published Jul 14, 2026
Last Updated Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for twigphp twig

Be the first to know when new unknown vulnerabilities affecting twigphp twig are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

twigphp / Twig
< 3.26.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/twigphp/Twig/security/advisories/GHSA-7fxw-r6jv-74c8 github.com: https://github.com/twigphp/Twig/commit/819c6a89fe0f261b8555c4f4d5e27d31984223ea github.com: https://github.com/twigphp/Twig/releases/tag/v3.26.0