Insufficient Property Filtering in Twig Template Engine Affects PHP Applications
CVE-2026-46635

5.3MEDIUM

Key Information:

Vendor

TwigPHP

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-46635?

The Twig Template Engine, used broadly in PHP applications, prior to version 3.26.0 is vulnerable to insufficient property filtering within its column filter feature. This flaw allows untrusted template authors to access object arrays inappropriately, enabling them to read public and magic properties. As these properties can bypass the necessary checks established by CoreExtension::getAttribute() and SandboxExtension::checkPropertyAllowed(), it poses a risk for unauthorized access to sensitive information not included in the sandbox allowlist. This issue has been rectified in version 3.26.0, mandating users to upgrade to safeguard their applications.

Affected Version(s)

Twig < 3.26.0

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.