Code Injection in Twig - CVE-2026-46633
Published: May 20, 2026
Vulnerability identifier: #VU131999
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-46633
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Symfony
Affected software:
Twig
Twig
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to code injection in ModuleNode::compileConstructor() when compiling a template name from a {% use %} tag into a surrounding PHP single-quoted string literal. A remote attacker can supply a specially crafted template name containing a single quote to execute arbitrary code.
The injected PHP executes when the compiled cache file is first loaded, and the issue is reachable from sandboxed templates because SecurityPolicy unconditionally allows the {% use %} tag.
How to mitigate CVE-2026-46633
Install security update from vendor's website.