Advertisement
Security

Twig Template Engine Vulnerability Allows Sandbox Policy Bypass

A critical vulnerability in Twig versions 3.9.0 through 3.25.0 allows sandboxed templates to bypass security policy enforcement.

··1 hour ago·1 min read
Matrix movie still
Photo by Markus Spiske on Unsplash
Advertisement

A critical security vulnerability, identified as CVE-2026-46634, has been discovered in the Twig template language for PHP. The issue stems from how the template_from_string() function compiles inner templates, which can cause them to fall outside the scope of the SourcePolicyInterface sandbox. This flaw allows a sandboxed template to execute and render inner templates without proper security policy enforcement.

Assigned a CVSS score of 9.8, the vulnerability is classified as critical. It potentially allows for full impact on confidentiality, integrity, and availability. The flaw affects all versions of Twig from 3.9.0 up to and including 3.25.0.

Users are advised to update their Twig installations to version 3.26.0 or later, which contains the official fix for this issue. Further details can be found in the official Twig security advisory and GitHub release notes.

#twig#php#cve-2026-46634#vulnerability#sandbox

Xploitwire Editorial Team

Xploitwire Newsroom

This article was researched and drafted with AI assistance and reviewed by our editorial team before publication. About Xploitwire →

← Back to all stories
Advertisement