{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/twig--3.15.0--3.26.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Twig (\u003e= 3.15.0, \u003c 3.26.0)"],"_cs_severities":["high"],"_cs_tags":["rce","twig","php","code-injection"],"_cs_type":"threat","_cs_vendors":["Composer"],"content_html":"\u003cp\u003eA critical security flaw exists in Twig, a templating engine for PHP, specifically affecting versions 3.15.0 up to (but not including) 3.26.0. The vulnerability, identified as CVE-2026-46640, stems from the \u003ccode\u003eobj.(expr)\u003c/code\u003e dynamic-attribute syntax, which was introduced in version 3.15.0 as a replacement for the deprecated \u003ccode\u003eattribute()\u003c/code\u003e function. When the receiver is \u003ccode\u003e_self\u003c/code\u003e or an imported alias, and the expression is a string literal, the \u003ccode\u003eDotExpressionParser\u003c/code\u003e incorrectly concatenates the attacker-controlled string into a \u003ccode\u003eMacroReferenceExpression\u003c/code\u003e without proper validation. This bypasses the \u003ccode\u003eSandboxExtension\u003c/code\u003e, even with a globally-enabled sandbox and an empty \u003ccode\u003eSecurityPolicy\u003c/code\u003e allowlist. An attacker who can control the template source can inject arbitrary PHP code into the compiled template, resulting in code execution at template-load time.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains the ability to supply template source code to the Twig engine. This could be achieved through methods like exploiting an existing file upload vulnerability or directly manipulating template files if access is available.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious template containing the \u003ccode\u003e_self.(\u0026lt;string\u0026gt;)\u003c/code\u003e syntax, where \u003ccode\u003e\u0026lt;string\u0026gt;\u003c/code\u003e is a PHP code injection payload. For example, \u003ccode\u003e_self.(\u0026quot;system('whoami')\u0026quot;)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Twig engine parses the malicious template, and the \u003ccode\u003eDotExpressionParser\u003c/code\u003e handles the \u003ccode\u003e_self.(\u0026lt;string\u0026gt;)\u003c/code\u003e expression.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eDotExpressionParser\u003c/code\u003e incorrectly concatenates the attacker-controlled string into a \u003ccode\u003eMacroReferenceExpression\u003c/code\u003e name without identifier validation, creating a malicious macro reference.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eMacroReferenceExpression::compile()\u003c/code\u003e method then emits this raw, unvalidated name directly into the generated PHP source code.\u003c/li\u003e\n\u003cli\u003eThe Twig engine loads and compiles the generated PHP source code, effectively executing the injected PHP code.\u003c/li\u003e\n\u003cli\u003eThe injected PHP code executes system commands (e.g., \u003ccode\u003ewhoami\u003c/code\u003e) or performs other malicious actions.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the system or data, potentially leading to further compromise, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary PHP code on the server, leading to complete system compromise. This can result in data breaches, service disruption, and potential financial loss. Given the widespread use of Twig in PHP-based web applications, a significant number of systems are potentially vulnerable. The bypass of \u003ccode\u003eSandboxExtension\u003c/code\u003e makes this particularly dangerous, as it circumvents common security measures intended to restrict code execution.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Twig version 3.26.0 or later to patch CVE-2026-46640, as recommended in the GitHub advisory (\u003ca href=\"https://github.com/advisories/GHSA-45vw-wh46-2vx8\"\u003ehttps://github.com/advisories/GHSA-45vw-wh46-2vx8\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization on any user-supplied data used in Twig templates to mitigate code injection risks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Twig RCE via Macro Injection (CVE-2026-46640)\u0026rdquo; to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-21T21:32:18Z","date_published":"2026-05-21T21:32:18Z","id":"https://feed.craftedsignal.io/briefs/2026-05-twig-rce/","summary":"A vulnerability in Twig versions 3.15.0 to 3.26.0 (CVE-2026-46640) allows arbitrary PHP code execution via the `_self.(\u003cstring\u003e)` macro-reference compilation, enabling attackers to inject and execute arbitrary PHP code by supplying malicious template source, bypassing the SandboxExtension.","title":"Twig RCE via Macro-Reference Compilation (CVE-2026-46640)","url":"https://feed.craftedsignal.io/briefs/2026-05-twig-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Twig (\u003e= 3.15.0, \u003c 3.26.0)","version":"https://jsonfeed.org/version/1.1"}