PHP Template Language Twig Vulnerability in Multiple Versions
CVE-2026-47732

7.1HIGH

Key Information:

Vendor

TwigPHP

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-47732?

A vulnerability in the Twig template language for PHP allows an attacker with access to a sandboxed template to exploit string coercion mechanisms. This can enable unauthorized invocation of the '__toString()' method on accessible objects, posing potential security risks by executing unintended code through various constructs, such as conditional expressions and comparison operators. The issue has been resolved in Twig version 3.26.0, which enforces more stringent checks on method invocations to enhance overall security.

Affected Version(s)

Twig < 3.26.0

References

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.