CVE-2026-46640 in Twiginfo

Summary

by MITRE • 07/15/2026

Twig is a template language for PHP. From 3.15.0 until 3.26.0, _self.(<string>) and import-alias dynamic attribute syntax can concatenate an attacker-controlled string into a MacroReferenceExpression name without identifier validation, causing raw PHP to be emitted into the generated template source and executed at template-load time. This issue is fixed in version 3.26.0.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/15/2026

This vulnerability exists within the Twig template engine for PHP, specifically affecting versions between 3.15.0 and 3.26.0 inclusive. The flaw resides in how the template parser handles dynamic attribute syntax involving _self.() and import-alias constructs. When these specific syntax patterns are used with attacker-controlled input, the system fails to properly validate identifier names within MacroReferenceExpression objects. This validation gap allows malicious input to be directly concatenated into PHP code generation, effectively enabling code injection at the template compilation stage rather than runtime.

The technical implementation of this vulnerability leverages the template engine's parsing logic where dynamic attribute access is processed without adequate sanitization of user-provided identifiers. When an attacker supplies malicious input through these specific syntax patterns, the parser treats the concatenated string as part of the PHP code structure, leading to raw PHP execution within the generated template source files. This represents a critical path for remote code execution since the injected code executes during template load time when the compiled PHP is interpreted by the server.

The operational impact of this vulnerability extends beyond simple code injection to encompass full remote code execution capabilities within the application context. Attackers can leverage this flaw to execute arbitrary PHP commands, potentially escalating privileges or accessing sensitive system resources depending on the web server configuration and application permissions. The vulnerability affects any application using Twig templates with dynamic attribute access patterns that accept user input without proper validation, creating a widespread attack surface across numerous PHP applications.

Security mitigations for this vulnerability require immediate upgrade to Twig version 3.26.0 or later where proper identifier validation has been implemented. Organizations should also implement strict input validation policies for any template parameters that may be processed through dynamic attribute syntax. The fix aligns with common security practices outlined in CWE-74 and CWE-94, which address injection flaws and insecure deserialization issues respectively. Additionally, this vulnerability maps to ATT&CK technique T1059.007 for PHP command execution and T1203 for exploitation of web application vulnerabilities. System administrators should conduct thorough code reviews to identify any custom template extensions or modifications that might bypass the standard validation mechanisms, while also implementing proper security monitoring to detect unusual template compilation patterns that could indicate exploitation attempts.

Responsible

GitHub M

Reservation

05/15/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!