CVE-2026-46634info

Summary

by MITRE • 07/14/2026

Twig is a template language for PHP. From 3.9.0 until 3.26.0, template_from_string() compiles an inner template under a synthesized __string_template__ name that can fall outside a SourcePolicyInterface sandbox decision, allowing a sandboxed template that can call template_from_string and include to render an inner template without security policy enforcement. This issue is fixed in version 3.26.0.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/14/2026

The vulnerability in Twig template engine affects versions between 3.9.0 and 3.26.0, specifically concerning the template_from_string() function implementation. This flaw represents a critical sandbox bypass that undermines the security model designed to protect applications using Twig's templating system. The issue stems from how the function handles template compilation when processing inner templates through the _string_template_ naming convention, which can potentially escape the boundaries of the SourcePolicyInterface sandbox mechanism that should enforce security policies.

The technical implementation flaw occurs when a sandboxed template calls template_from_string() and subsequently includes another template. Under normal circumstances, the SourcePolicyInterface should prevent execution of unauthorized template content by enforcing access controls based on source policy decisions. However, the synthesized _string_template_ naming approach creates an execution path where inner templates bypass these security checks, allowing arbitrary code execution within the sandboxed context. This vulnerability directly relates to CWE-707 and CWE-284, as it represents improper enforcement of security policies and insufficient access control mechanisms.

The operational impact of this vulnerability is severe for applications relying on Twig's template sandboxing features, particularly those that process untrusted user input through templating systems. Attackers could exploit this flaw to execute arbitrary PHP code within the application context, potentially leading to complete system compromise. The vulnerability affects any application where template_from_string() is used in conjunction with include operations and where security policies should restrict template execution based on source origins. This represents a significant bypass of the principle of least privilege that security-conscious applications depend upon.

Mitigation efforts should focus on immediate upgrade to Twig version 3.26.0 or later, which implements proper sandbox enforcement for the _string_template_ naming convention. Organizations should also review their template processing logic to minimize use of template_from_string() with untrusted input and implement additional input validation measures. Security teams should monitor for any potential exploitation attempts and consider implementing runtime protections such as php.ini restrictions on dangerous functions. The fix addresses the root cause by ensuring that synthesized template names properly respect SourcePolicyInterface boundaries, preventing unauthorized template execution paths that could otherwise be exploited through the include mechanism. This vulnerability demonstrates the importance of proper sandbox boundary enforcement in templating engines and aligns with ATT&CK technique T1566 for social engineering and T1059 for command and scripting interpreter usage patterns.

Disclosure

07/14/2026

Moderation

in review

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!