Twig Template Engine Vulnerability Allows Sandbox Policy Bypass
A critical vulnerability in Twig versions 3.9.0 through 3.25.0 allows sandboxed templates to bypass security policy enforcement.
A critical security vulnerability, identified as CVE-2026-46634, has been discovered in the Twig template language for PHP. The issue stems from how the template_from_string() function compiles inner templates, which can cause them to fall outside the scope of the SourcePolicyInterface sandbox. This flaw allows a sandboxed template to execute and render inner templates without proper security policy enforcement.
Assigned a CVSS score of 9.8, the vulnerability is classified as critical. It potentially allows for full impact on confidentiality, integrity, and availability. The flaw affects all versions of Twig from 3.9.0 up to and including 3.25.0.
Users are advised to update their Twig installations to version 3.26.0 or later, which contains the official fix for this issue. Further details can be found in the official Twig security advisory and GitHub release notes.
Continue Reading
Critical Heap Corruption Flaw Discovered in illumos SCTP Stack
A critical vulnerability in the illumos SCTP inbound path allows unauthenticated remote attackers to trigger kernel heap corruption and potential code execution.
WireGuard Easy Vulnerability Allows Unauthorized Credential Recovery
A critical flaw in WireGuard Easy allows unauthenticated attackers to brute-force weak tokens and hijack VPN peer credentials.
CISA Adds Fortinet FortiSandbox Command Injection Flaw to KEV Catalog
CISA has confirmed active exploitation of a command injection vulnerability in Fortinet FortiSandbox, mandating urgent remediation for federal agencies.