Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
CVE-2026-46633: Twig: PHP Code Injection via Malformed Template Names
GHSA-7p85-w9px-jpjp
CVE-2026-46633
GHSA-7p85-w9px-jpjp
Summary
A security flaw in Twig allows attackers to inject malicious PHP code into templates. This can lead to unauthorized access to sensitive data and potentially allow attackers to execute code on the server. To protect against this, Twig has been updated to properly escape single quotes in template names, preventing the injection of malicious code.
What to do
- Update twig twig to version 3.26.0.
- Update twig twig/twig to version 3.26.0.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| composer | twig | twig |
< 3.26.0 Fix: upgrade to 3.26.0
|
| Packagist | twig | twig/twig |
< 3.26.0 Fix: upgrade to 3.26.0
|
Original title
Twig: PHP code injection via `{% use %}` template name
Original description
### Description
`Compiler::string()` escapes `"`, `$`, `\`, NUL and TAB when generating PHP double-quoted string literals, but does not escape single quotes. In `ModuleNode::compileConstructor()`, the template name from a `{% use %}` tag is compiled via `subcompile()` -> `string()` and placed inside a surrounding PHP single-quoted string literal. A template name containing a single quote terminates that surrounding string early, allowing arbitrary PHP expressions to be injected into the compiled cache file.
The injected code executes within the PHP process when the cache file is first loaded, bypassing the Twig sandbox entirely and achieving remote code execution. `SecurityPolicy` unconditionally allows `{% use %}` regardless of the configured `allowedTags`, so this primitive is reachable from sandboxed templates as well.
### Resolution
`Compiler::string()` now also escapes single quotes so that template names placed inside single-quoted PHP literals can no longer break out of the surrounding context.
### Credits
Twig would like to thank Anvil Secure in collaboration with Claude and Anthropic Research for reporting the issue and providing the fix.
`Compiler::string()` escapes `"`, `$`, `\`, NUL and TAB when generating PHP double-quoted string literals, but does not escape single quotes. In `ModuleNode::compileConstructor()`, the template name from a `{% use %}` tag is compiled via `subcompile()` -> `string()` and placed inside a surrounding PHP single-quoted string literal. A template name containing a single quote terminates that surrounding string early, allowing arbitrary PHP expressions to be injected into the compiled cache file.
The injected code executes within the PHP process when the cache file is first loaded, bypassing the Twig sandbox entirely and achieving remote code execution. `SecurityPolicy` unconditionally allows `{% use %}` regardless of the configured `allowedTags`, so this primitive is reachable from sandboxed templates as well.
### Resolution
`Compiler::string()` now also escapes single quotes so that template names placed inside single-quoted PHP literals can no longer break out of the surrounding context.
### Credits
Twig would like to thank Anvil Secure in collaboration with Claude and Anthropic Research for reporting the issue and providing the fix.
ghsa CVSS4.0
9.3
Vulnerability type
CWE-94
Code Injection
Published: 21 May 2026 · Updated: 29 May 2026 · First seen: 21 May 2026