Memory Management Flaw in Twig Template Engine Affects PHP Applications
CVE-2026-46629
5.3MEDIUM
What is CVE-2026-46629?
The Twig template engine allows PHP applications to create dynamic templates efficiently. However, prior to version 3.26.0, a design flaw in its handling of IntlDateFormatter and NumberFormatter instances permitted excessive memory allocation. This vulnerability arose because Twig memoizes formatter objects in arrays indexed by template-controlled filter arguments, such as locale and pattern. Consequently, numerous ICU formatter objects could remain active for the duration of the Twig environment, potentially leading to significant memory consumption. This issue has been resolved in version 3.26.0, which addresses the underlying memory management concerns.
Affected Version(s)
Twig < 3.26.0
