Protection Mechanism Failure in Twig - CVE-2026-46638
Published: May 20, 2026
Vulnerability identifier: #VU131995
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-46638
CWE-ID: CWE-693
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Symfony
Affected software:
Twig
Twig
Detailed vulnerability description
The vulnerability allows a remote user to bypass sandbox restrictions.
The vulnerability exists due to protection mechanism failure in the {% sandbox %}{% include %} template inclusion path when including a cached template in a sandboxed context. A remote user can author a template that is first loaded outside the sandbox and then included inside the sandbox to bypass sandbox restrictions.
The issue occurs when the included template was previously loaded in the same Environment instance outside the sandbox, preventing the sandbox security allowlist from being re-applied.
How to mitigate CVE-2026-46638
Install security update from vendor's website.