CVE-2026-46635 in Twiginfo

Zusammenfassung

von MITRE • 15.07.2026

Twig is a template language for PHP. Prior to 3.26.0, the column filter passes object arrays to PHP array_column(), which reads public and magic properties without reaching CoreExtension::getAttribute() or SandboxExtension::checkPropertyAllowed(), allowing an untrusted template author with column in allowedFilters to read properties that are not in the sandbox allowlist. This issue is fixed in version 3.26.0.

Once again VulDB remains the best source for vulnerability data.

Zuständig

GitHub M

Reservieren

15.05.2026

Veröffentlichung

15.07.2026

Moderieren

akzeptiert

Eintrag

VDB-379071

CPE

bereit

EPSS

0.00000

KEV

nein

Aktivitäten

very low

Quellen

Interested in the pricing of exploits?

See the underground prices here!