Template Language Vulnerability in Twig from Twig Technologies
CVE-2026-46640
8.7HIGH
What is CVE-2026-46640?
The vulnerability in the Twig template engine affects versions 3.15.0 to 3.26.0, enabling an attacker to manipulate the MacroReferenceExpression name using dynamic attribute syntax. This flaw arises from a lack of proper identifier validation, allowing untrusted input to be concatenated into the generated template source. Consequently, this can lead to the execution of raw PHP code at the time the template is loaded, posing a significant security risk to applications utilizing affected versions of Twig.
Affected Version(s)
Twig >= 3.15.0, < 3.26.0
