Template Injection Vulnerability in Twig PHP Template Engine
CVE-2026-46638

6MEDIUM

Key Information:

Vendor

TwigPHP

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-46638?

The Twig PHP template engine contains a vulnerability that allows templates loaded outside the sandbox to be included without proper security checks. Specifically, prior to version 3.26.0, the {% sandbox %}{% include %} functionality did not invoke checkSecurity(), permitting cached templates to operate with tags, filters, and functions which should have been restricted by SecurityPolicy::checkSecurity(). This oversight can lead to potential exploitation by allowing unauthorized access to sensitive data or unintended behaviors within the application.

Affected Version(s)

Twig < 3.26.0

References

CVSS V4

Score:
6
Severity:
MEDIUM
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.