Twig CVE-2026-46633
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (https://github.com/twigphp/Twig) · only source for this CVE.
CVSS VectorVendor: https://github.com/twigphp/Twig
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Description
Compiler::string() escapes ", $, \, NUL and TAB when generating PHP double-quoted string literals, but does not escape single quotes. In ModuleNode::compileConstructor(), the template name from a {% use %} tag is compiled via subcompile() -> string() and placed inside a surrounding PHP single-quoted string literal. A template name containing a single quote terminates that surrounding string early, allowing arbitrary PHP expressions to be injected into the compiled cache file.
The injected code executes within the PHP process when the cache file is first loaded, bypassing the Twig sandbox entirely and achieving remote code execution. SecurityPolicy unconditionally allows {% use %} regardless of the configured allowedTags, so this primitive is reachable from sandboxed templates as well.
Resolution
Compiler::string() now also escapes single quotes so that template names placed inside single-quoted PHP literals can no longer break out of the surrounding context.
Credits
Twig would like to thank Anvil Secure in collaboration with Claude and Anthropic Research for reporting the issue and providing the fix.
AnalysisAI
PHP code injection in Twig template engine versions before 3.26.0 allows attackers controlling template names in {% use %} tags to break out of compiled cache file string literals and execute arbitrary PHP code. The flaw bypasses the Twig sandbox entirely because SecurityPolicy unconditionally permits {% use %} regardless of allowedTags configuration. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-7p85-w9px-jpjp) discloses the full exploitation primitive.
Technical ContextAI
Twig is a widely deployed PHP templating engine (distributed as composer package twig/twig) used by Symfony, Drupal, and many other PHP frameworks. The root cause is a CWE-94 (Improper Control of Generation of Code) defect in Compiler::string(), which escapes double quotes, dollar signs, backslashes, NUL, and TAB characters when generating PHP string literals - but neglects single quotes. In ModuleNode::compileConstructor(), the template name from {% use %} flows through subcompile() to string() and is emitted inside a single-quoted PHP literal in the compiled cache file. A single quote in the template name closes the literal early, letting attacker-controlled content become executable PHP that runs when the cache file is included. Because compiled caches are loaded on subsequent requests, exploitation persists across process boundaries until the cache is purged.
RemediationAI
Vendor-released patch: 3.26.0 - upgrade composer dependency twig/twig to 3.26.0 or later (composer require twig/twig:^3.26.0) as the primary fix, per the GHSA-7p85-w9px-jpjp advisory. After upgrading, purge the existing Twig compiled cache directory so that any previously cached files generated from attacker-influenced template names are regenerated under the fixed compiler. If immediate patching is not possible, the practical compensating control is to ensure template names passed to the loader and to {% use %} are never derived from user input - restrict template selection to a server-controlled allowlist and reject any name containing a single quote; this is more reliable than relying on SecurityPolicy because {% use %} is unconditionally permitted regardless of allowedTags. Disabling the on-disk cache (cache => false on the Environment) does not eliminate execution risk because the injected PHP still runs the first time the template is compiled and loaded, so the upgrade or input-sanitization control should be applied even when caching is off.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-7p85-w9px-jpjp