Template Language Vulnerability in Twig from Twig Technologies
CVE-2026-46640

8.7HIGH

Key Information:

Vendor

TwigPHP

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-46640?

The vulnerability in the Twig template engine affects versions 3.15.0 to 3.26.0, enabling an attacker to manipulate the MacroReferenceExpression name using dynamic attribute syntax. This flaw arises from a lack of proper identifier validation, allowing untrusted input to be concatenated into the generated template source. Consequently, this can lead to the execution of raw PHP code at the time the template is loaded, posing a significant security risk to applications utilizing affected versions of Twig.

Affected Version(s)

Twig >= 3.15.0, < 3.26.0

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.