RCE in Twigphp Twig
CVE-2026-46640
Twig is a template language for PHP. From 3.15.0 until 3.26.0, _self.(<string>) and import-alias dynamic attribute syntax can concatenate an attacker-controlled string into a MacroReferenceExpression name without identifier validation, cau…
Vulnerability class: RCE (Remote Code Execution)
Affected products
- Twigphp Twig — versions >= 3.15.0, < 3.26.0
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM)
- security-advisories@github.com (x_refsource_MISC)
- security-advisories@github.com (x_refsource_MISC)