Skip to main content

Twig CVE-2026-46633

HIGH
Code Injection (CWE-94)
2026-05-21 https://github.com/twigphp/Twig GHSA-7p85-w9px-jpjp
8.7
CVSS 4.0 · Vendor: https://github.com/twigphp/Twig
Share

Severity by source

Vendor (https://github.com/twigphp/Twig) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (https://github.com/twigphp/Twig) · only source for this CVE.

CVSS VectorVendor: https://github.com/twigphp/Twig

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Re-analysis Queued
Jul 14, 2026 - 22:22 vuln.today
cvss_changed
CVSS changed
Jul 14, 2026 - 22:22 NVD
8.7 (HIGH)
Source Code Evidence Fetched
May 21, 2026 - 22:00 vuln.today
Analysis Generated
May 21, 2026 - 22:00 vuln.today

DescriptionCVE.org

Description

Compiler::string() escapes ", $, \, NUL and TAB when generating PHP double-quoted string literals, but does not escape single quotes. In ModuleNode::compileConstructor(), the template name from a {% use %} tag is compiled via subcompile() -> string() and placed inside a surrounding PHP single-quoted string literal. A template name containing a single quote terminates that surrounding string early, allowing arbitrary PHP expressions to be injected into the compiled cache file.

The injected code executes within the PHP process when the cache file is first loaded, bypassing the Twig sandbox entirely and achieving remote code execution. SecurityPolicy unconditionally allows {% use %} regardless of the configured allowedTags, so this primitive is reachable from sandboxed templates as well.

Resolution

Compiler::string() now also escapes single quotes so that template names placed inside single-quoted PHP literals can no longer break out of the surrounding context.

Credits

Twig would like to thank Anvil Secure in collaboration with Claude and Anthropic Research for reporting the issue and providing the fix.

AnalysisAI

PHP code injection in Twig template engine versions before 3.26.0 allows attackers controlling template names in {% use %} tags to break out of compiled cache file string literals and execute arbitrary PHP code. The flaw bypasses the Twig sandbox entirely because SecurityPolicy unconditionally permits {% use %} regardless of allowedTags configuration. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-7p85-w9px-jpjp) discloses the full exploitation primitive.

Technical ContextAI

Twig is a widely deployed PHP templating engine (distributed as composer package twig/twig) used by Symfony, Drupal, and many other PHP frameworks. The root cause is a CWE-94 (Improper Control of Generation of Code) defect in Compiler::string(), which escapes double quotes, dollar signs, backslashes, NUL, and TAB characters when generating PHP string literals - but neglects single quotes. In ModuleNode::compileConstructor(), the template name from {% use %} flows through subcompile() to string() and is emitted inside a single-quoted PHP literal in the compiled cache file. A single quote in the template name closes the literal early, letting attacker-controlled content become executable PHP that runs when the cache file is included. Because compiled caches are loaded on subsequent requests, exploitation persists across process boundaries until the cache is purged.

RemediationAI

Vendor-released patch: 3.26.0 - upgrade composer dependency twig/twig to 3.26.0 or later (composer require twig/twig:^3.26.0) as the primary fix, per the GHSA-7p85-w9px-jpjp advisory. After upgrading, purge the existing Twig compiled cache directory so that any previously cached files generated from attacker-influenced template names are regenerated under the fixed compiler. If immediate patching is not possible, the practical compensating control is to ensure template names passed to the loader and to {% use %} are never derived from user input - restrict template selection to a server-controlled allowlist and reject any name containing a single quote; this is more reliable than relying on SecurityPolicy because {% use %} is unconditionally permitted regardless of allowedTags. Disabling the on-disk cache (cache => false on the Environment) does not eliminate execution risk because the injected PHP still runs the first time the template is compiled and loaded, so the upgrade or input-sanitization control should be applied even when caching is off.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-46633 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy