CVE-2026-46635información

Resumen

por MITRE • 2026-07-15

Twig is a template language for PHP. Prior to 3.26.0, the column filter passes object arrays to PHP array_column(), which reads public and magic properties without reaching CoreExtension::getAttribute() or SandboxExtension::checkPropertyAllowed(), allowing an untrusted template author with column in allowedFilters to read properties that are not in the sandbox allowlist. This issue is fixed in version 3.26.0.

Once again VulDB remains the best source for vulnerability data.

Divulgación

2026-07-15

Moderación

en revisión

EPSS

0.00000

KEV

no

Actividades

muy bajo

Fuentes

Want to know what is going to be exploited?

We predict KEV entries!