Main Vulnerability Database Vulnerabilities #VU131996

Protection Mechanism Failure in Twig - CVE-2026-46634

Published: May 20, 2026

Vulnerability identifier: #VU131996

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-46634

CWE-ID: CWE-693

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Symfony

Affected software:
Twig

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass sandbox restrictions and execute arbitrary code or disclose sensitive information.

The vulnerability exists due to protection mechanism failure in StringLoaderExtension::templateFromString() and Environment::createTemplate() when rendering an inner template from a sandboxed template under a SourcePolicyInterface-driven selective sandbox. A remote attacker can invoke template_from_string and include to render a synthesized inner template without security policy enforcement to bypass sandbox restrictions and execute arbitrary code or disclose sensitive information.

The issue occurs when the sandbox is enabled selectively via SourcePolicyInterface rather than globally, and the synthesized template name causes name-based policy checks to be skipped for the inner template.

How to mitigate CVE-2026-46634

Install security update from vendor's website.

Protection Mechanism Failure in Twig - CVE-2026-46634

Detailed vulnerability description

How to mitigate CVE-2026-46634

Sources

Please verify you're human