Template Injection Vulnerability in Twig PHP Template Engine
CVE-2026-46638
6MEDIUM
What is CVE-2026-46638?
The Twig PHP template engine contains a vulnerability that allows templates loaded outside the sandbox to be included without proper security checks. Specifically, prior to version 3.26.0, the {% sandbox %}{% include %} functionality did not invoke checkSecurity(), permitting cached templates to operate with tags, filters, and functions which should have been restricted by SecurityPolicy::checkSecurity(). This oversight can lead to potential exploitation by allowing unauthorized access to sensitive data or unintended behaviors within the application.
Affected Version(s)
Twig < 3.26.0
