Advertisement
Security

Critical PHP Injection Vulnerability Patched in Twig Template Engine

A critical vulnerability in Twig versions prior to 3.26.0 allows attackers to inject arbitrary PHP code via crafted template names in {% use %} tags.

··1 hour ago·1 min read
red padlock on black computer keyboard
Photo by FlyD on Unsplash
Advertisement

A critical security vulnerability, identified as CVE-2026-46633, has been discovered in the Twig template language for PHP. The flaw exists in the Compiler::string() method, which fails to properly escape single quotes when handling template names used within {% use %} tags. This oversight allows a crafted template name to terminate a PHP single-quoted string literal, enabling the injection of arbitrary PHP expressions into the compiled cache file.

With a CVSS score of 9.8, this vulnerability is classified as critical, as it allows for unauthorized code execution with high impact on confidentiality, integrity, and availability. The issue affects all versions of Twig prior to 3.26.0. Users are strongly advised to update their Twig installations to version 3.26.0 or later to mitigate this risk.

#twig#php#cve-2026-46633#vulnerability#code-injection

Xploitwire Editorial Team

Xploitwire Newsroom

This article was researched and drafted with AI assistance and reviewed by our editorial team before publication. About Xploitwire →

← Back to all stories
Advertisement