Critical PHP Injection Vulnerability Patched in Twig Template Engine
A critical vulnerability in Twig versions prior to 3.26.0 allows attackers to inject arbitrary PHP code via crafted template names in {% use %} tags.
A critical security vulnerability, identified as CVE-2026-46633, has been discovered in the Twig template language for PHP. The flaw exists in the Compiler::string() method, which fails to properly escape single quotes when handling template names used within {% use %} tags. This oversight allows a crafted template name to terminate a PHP single-quoted string literal, enabling the injection of arbitrary PHP expressions into the compiled cache file.
With a CVSS score of 9.8, this vulnerability is classified as critical, as it allows for unauthorized code execution with high impact on confidentiality, integrity, and availability. The issue affects all versions of Twig prior to 3.26.0. Users are strongly advised to update their Twig installations to version 3.26.0 or later to mitigate this risk.
Continue Reading
The AI Attack Surface of Executives
Modern AI tools have collapsed reconnaissance time for social engineering, turning executive public profiles into critical security risks.
Twig Template Engine Vulnerability Allows Sandbox Policy Bypass
A critical vulnerability in Twig versions 3.9.0 through 3.25.0 allows sandboxed templates to bypass security policy enforcement.
CISA Adds Actively Exploited FortiSandbox Flaw to KEV Catalog
CISA has confirmed active exploitation of an OS command injection vulnerability in Fortinet FortiSandbox, requiring immediate remediation.