Object-destructuring Assignment Vulnerability in Twig by Twig
CVE-2026-46639
7.1HIGH
What is CVE-2026-46639?
A security issue exists in the Twig template engine between versions 3.24.0 and 3.26.0, where the CoreExtension::getAttribute() method is compiled with the sandbox argument hardcoded to false. This flaw negates critical property and method policy checks, thereby allowing an attacker with write access to a sandboxed Twig template to access public properties or invoke public getters on objects passed to the template engine. It is essential to update to version 3.26.0 or later to address this security concern.
Affected Version(s)
Twig >= 3.24.0, < 3.26.0
