CVE-2026-46633

TwigPHP · Twig

Twig is vulnerable to code injection, allowing an authenticated user to perform unauthorized actions by manipulating template generation.

Executive summary

The Twig template engine contains a code injection vulnerability that allows an authenticated user with sufficient permissions to execute arbitrary code within the application context.

Vulnerability

This vulnerability is a code injection flaw arising from improper control over the generation of code, which can be triggered by an authenticated attacker to execute arbitrary commands.

Business impact

A successful exploit grants the attacker the ability to execute code with the privileges of the web application, leading to full system compromise, data theft, or lateral movement within the network. With a CVSS score of 8.7, this vulnerability poses a severe risk to the confidentiality, integrity, and availability of the host environment.

Remediation

Immediate Action: Update the Twig library to version 3.26.0 or later to resolve the code injection vulnerability.

Proactive Monitoring: Monitor application logs for suspicious template rendering activity or unauthorized attempts to access system-level functions.

Compensating Controls: Implement strict input validation and ensure that user-supplied content is never passed directly into template rendering functions without rigorous sanitization.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Administrators should treat this vulnerability as critical due to the potential for remote code execution. Ensure that all dependencies are audited and updated to version 3.26.0 to mitigate the risk of unauthorized code execution.