Resource Exhaustion Vulnerability in Twig Template Language for PHP
CVE-2026-46627
7.1HIGH
What is CVE-2026-46627?
The Twig template engine prior to version 3.26.0 is vulnerable due to the absence of safeguards in its sandbox mode against resource exhaustion. Untrusted templates can exploit this flaw to consume excessive CPU, memory, or wall-clock time, potentially leading to performance degradation or denial of service. This issue is addressed in version 3.26.0 with documentation clarifying that while the sandbox enforces strict allow-lists, it does not defend against resource-related attacks. Users are advised to upgrade to the latest version to mitigate associated risks.
Affected Version(s)
Twig < 3.26.0
