Insufficient Property Filtering in Twig Template Engine Affects PHP Applications
CVE-2026-46635
5.3MEDIUM
What is CVE-2026-46635?
The Twig Template Engine, used broadly in PHP applications, prior to version 3.26.0 is vulnerable to insufficient property filtering within its column filter feature. This flaw allows untrusted template authors to access object arrays inappropriately, enabling them to read public and magic properties. As these properties can bypass the necessary checks established by CoreExtension::getAttribute() and SandboxExtension::checkPropertyAllowed(), it poses a risk for unauthorized access to sensitive information not included in the sandbox allowlist. This issue has been rectified in version 3.26.0, mandating users to upgrade to safeguard their applications.
Affected Version(s)
Twig < 3.26.0
