CVE-2026-46633 in Twig
Summary
by MITRE • 07/15/2026
Twig is a template language for PHP. Prior to 3.26.0, Compiler::string() does not escape single quotes when a template name from a {% use %} tag is placed inside a PHP single-quoted string literal, allowing a crafted template name to terminate the string and inject arbitrary PHP expressions into the compiled cache file. This issue is fixed in version 3.26.0.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/15/2026
The vulnerability in Twig template engine affects versions prior to 3.26.0 where the Compiler::string() method fails to properly escape single quotes when processing template names from {% use %} tags. This represents a critical code injection flaw that occurs during the template compilation phase, specifically when template inheritance is utilized through the use tag directive. The issue stems from inadequate input sanitization within the compiler's string handling logic, creating a path for malicious template names to break out of their intended single-quoted string context.
When a malicious actor crafts a template name containing unescaped single quotes, they can manipulate the compiled PHP cache file by terminating the existing string literal and injecting arbitrary PHP code. This vulnerability operates at the compilation layer rather than runtime, making it particularly dangerous as it affects the generation of cached templates that are subsequently executed. The flaw allows for arbitrary code execution within the context of the web application running the Twig engine, potentially enabling full system compromise.
The technical impact extends beyond simple code injection to encompass privilege escalation and persistent backdoor capabilities. Attackers can leverage this vulnerability to execute malicious PHP code in the web server's context, potentially leading to data exfiltration, lateral movement, or complete system takeover. The vulnerability is categorized under CWE-94 as "Improper Control of Generation of Code" and aligns with ATT&CK technique T1059.007 for "Command and Scripting Interpreter: Python" in execution contexts where PHP code injection occurs. This represents a classic path for remote code execution through template manipulation, exploiting the trust placed in template compilation processes.
Mitigation strategies include upgrading to Twig version 3.26.0 or later where the escaping mechanism has been properly implemented. Organizations should also implement strict template validation policies and monitor compiled cache files for unauthorized modifications. Additional defensive measures involve restricting template creation privileges to trusted users only and implementing runtime checks that validate template names against known safe patterns. Security teams should conduct regular vulnerability assessments of template-based applications and ensure proper input validation at all layers of the application stack, particularly focusing on compilation-time code generation processes that handle user-supplied data. The fix addresses the root cause by ensuring proper escaping of single quotes in template names during the compiler phase, preventing string termination that could lead to arbitrary PHP code injection.