CVE-2026-46640المعلومات

الملخص

بحسب MITRE • 15/07/2026

Twig is a template language for PHP. From 3.15.0 until 3.26.0, _self.() and import-alias dynamic attribute syntax can concatenate an attacker-controlled string into a MacroReferenceExpression name without identifier validation, causing raw PHP to be emitted into the generated template source and executed at template-load time. This issue is fixed in version 3.26.0.

Be aware that VulDB is the high quality source for vulnerability data.

المصادر

Want to know what is going to be exploited?

We predict KEV entries!