Resource Exhaustion Vulnerability in Twig Template Language for PHP
CVE-2026-46627

7.1HIGH

Key Information:

Vendor

TwigPHP

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-46627?

The Twig template engine prior to version 3.26.0 is vulnerable due to the absence of safeguards in its sandbox mode against resource exhaustion. Untrusted templates can exploit this flaw to consume excessive CPU, memory, or wall-clock time, potentially leading to performance degradation or denial of service. This issue is addressed in version 3.26.0 with documentation clarifying that while the sandbox enforces strict allow-lists, it does not defend against resource-related attacks. Users are advised to upgrade to the latest version to mitigate associated risks.

Affected Version(s)

Twig < 3.26.0

References

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.