Twig CVE-2026-46633
CRITICAL
GHSA-7p85-w9px-jpjp
Lifecycle Timeline
2DescriptionNVD
Description
Compiler::string() escapes ", $, \, NUL and TAB when generating PHP double-quoted string literals, but does not escape single quotes. In ModuleNode::compileConstructor(), the template name from a {% use %} tag is compiled via subcompile() -> string() and placed inside a surrounding PHP single-quoted string literal. A template name containing a single quote terminates that surrounding string early, allowing arbitrary PHP expressions to be injected into the compiled cache file.
The injected code executes within the PHP process when the cache file is first loaded, bypassing the Twig sandbox entirely and achieving remote code execution. SecurityPolicy unconditionally allows {% use %} regardless of the configured allowedTags, so this primitive is reachable from sandboxed templates as well.
Resolution
Compiler::string() now also escapes single quotes so that template names placed inside single-quoted PHP literals can no longer break out of the surrounding context.
Credits
Twig would like to thank Anvil Secure in collaboration with Claude and Anthropic Research for reporting the issue and providing the fix.
AnalysisAI
{% use %} tags to break out of compiled cache file string literals and execute arbitrary PHP code. The flaw bypasses the Twig sandbox entirely because SecurityPolicy unconditionally permits {% use %} regardless of allowedTags configuration. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
{% use %} tags if not operationally required, and deploy WAF rules to block template injection patterns. Within 30 days: Monitor Twig project for patch release; architect application changes to eliminate user-controlled data influencing template names.
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today