CVE-2026-46627 in Twiginfo

Summary

by MITRE • 07/15/2026

Twig is a template language for PHP. Prior to 3.26.0, the Twig sandbox does not prevent a template from consuming CPU, memory, or wall-clock time, even under the strictest allow-list, allowing untrusted templates to cause resource exhaustion. This issue is addressed in version 3.26.0 by documenting that the sandbox does not protect against resource exhaustion.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/15/2026

The vulnerability in Twig template engine prior to version 3.26.0 represents a critical design oversight in the sandbox security model that has significant implications for applications processing untrusted template content. This weakness stems from the fundamental assumption that sandboxed environments can adequately protect against all forms of resource abuse, particularly those that do not involve direct code execution or privilege escalation. The Twig sandbox mechanism was designed to restrict template access to potentially dangerous operations through allow-listing mechanisms, but it failed to account for resource exhaustion attacks that can be executed purely through template logic without violating the sandbox's access controls.

The technical flaw manifests in how the sandbox operates within the template processing pipeline, where malicious templates can construct computationally intensive loops, recursive structures, or memory-hungry operations that consume excessive system resources. These templates can leverage legitimate template features such as for loops, recursive includes, or complex variable manipulations to create denial-of-service conditions that exhaust CPU cycles, memory allocation, or execution time limits. The vulnerability specifically affects the sandbox's inability to monitor or limit resource consumption patterns during template rendering, allowing attackers to craft templates that appear benign but execute resource-intensive operations under the guise of legitimate template functionality.

From an operational perspective, this vulnerability creates a severe risk for web applications that accept user-generated templates or allow template customization, particularly in multi-tenant environments where different users share the same application resources. Attackers can exploit this weakness by submitting seemingly harmless templates that contain hidden resource-consuming logic, leading to system instability, performance degradation, or complete service unavailability. The impact extends beyond simple denial-of-service scenarios as resource exhaustion attacks can potentially be used as part of broader attack chains, such as amplification attacks or as a means to facilitate other vulnerabilities in the application stack.

The security implications of this vulnerability align with common weakness enumerations identified in the CWE database, specifically relating to resource exhaustion and inadequate sandboxing mechanisms. This flaw demonstrates the importance of understanding that traditional sandboxing approaches may not adequately address all attack vectors, particularly those involving resource abuse rather than direct code execution. The mitigation strategy implemented in version 3.26.0 acknowledges this limitation by clearly documenting the sandbox's boundaries and explicitly stating that resource exhaustion protection is outside its scope. This approach aligns with best practices in security engineering that recommend explicit documentation of security model limitations rather than false assumptions about protection capabilities.

Organizations using affected Twig versions should implement additional monitoring and resource limiting measures beyond the sandbox mechanism, including implementing execution time limits, memory usage quotas, and process isolation for template rendering operations. The ATT&CK framework's resource exhaustion tactics highlight similar patterns where attackers leverage legitimate application features to consume system resources without triggering traditional security controls, making this vulnerability particularly concerning for applications that do not implement additional safeguards beyond the default sandbox configuration.

Responsible

GitHub M

Reservation

05/15/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!