Product

Twig (>= 3.15.0, < 3.26.0)

1 brief RSS

Twig RCE via Macro-Reference Compilation (CVE-2026-46640)

A vulnerability in Twig versions 3.15.0 to 3.26.0 (CVE-2026-46640) allows arbitrary PHP code execution via the `_self.(<string>)` macro-reference compilation, enabling attackers to inject and execute arbitrary PHP code by supplying malicious template source, bypassing the SandboxExtension.

Twig rce php code-injection

2r 1t 48m ago