CVE-2026-46640
TwigPHP · Twig
Twig is vulnerable to code injection, allowing an authenticated attacker to manipulate template generation and execute arbitrary code.
Executive summary
Twig contains an authenticated code injection vulnerability that could allow an attacker to achieve unauthorized code execution within the application environment.
Vulnerability
This vulnerability involves improper control of code generation, enabling an authenticated user to perform code injection attacks that bypass standard security restrictions.
Business impact
Exploitation of this vulnerability allows an attacker to execute arbitrary code, which can result in complete loss of application control, unauthorized data access, and potential escalation of privileges. The CVSS score of 8.7 highlights the significant risk to business operations and the critical necessity for patching.
Remediation
Immediate Action: Upgrade the Twig template engine to version 3.26.0 or higher to mitigate the code injection risk.
Proactive Monitoring: Review application performance logs and audit logs for anomalous behavior related to template processing or unexpected system calls.
Compensating Controls: Use a Web Application Firewall to monitor for and block known injection patterns, while restricting user access to template management features.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Given the high severity of this code injection vulnerability, immediate patching is required to secure the environment. Ensure all instances of Twig are updated to version 3.26.0 to eliminate the risk of arbitrary code execution by authenticated actors.