Memory Management Flaw in Twig Template Engine Affects PHP Applications
CVE-2026-46629

5.3MEDIUM

Key Information:

Vendor

TwigPHP

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-46629?

The Twig template engine allows PHP applications to create dynamic templates efficiently. However, prior to version 3.26.0, a design flaw in its handling of IntlDateFormatter and NumberFormatter instances permitted excessive memory allocation. This vulnerability arose because Twig memoizes formatter objects in arrays indexed by template-controlled filter arguments, such as locale and pattern. Consequently, numerous ICU formatter objects could remain active for the duration of the Twig environment, potentially leading to significant memory consumption. This issue has been resolved in version 3.26.0, which addresses the underlying memory management concerns.

Affected Version(s)

Twig < 3.26.0

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.