Object-destructuring Assignment Vulnerability in Twig by Twig
CVE-2026-46639

7.1HIGH

Key Information:

Vendor

TwigPHP

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-46639?

A security issue exists in the Twig template engine between versions 3.24.0 and 3.26.0, where the CoreExtension::getAttribute() method is compiled with the sandbox argument hardcoded to false. This flaw negates critical property and method policy checks, thereby allowing an attacker with write access to a sandboxed Twig template to access public properties or invoke public getters on objects passed to the template engine. It is essential to update to version 3.26.0 or later to address this security concern.

Affected Version(s)

Twig >= 3.24.0, < 3.26.0

References

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.