Product

Twig/Twig (>= 3.24.0, < 3.26.0)

1 brief RSS

Twig Sandbox Bypass via Object Destructuring Assignment (CVE-2026-46639)

A vulnerability in Twig versions 3.24.0 to 3.26.0 (CVE-2026-46639) allows an attacker with write access to a sandboxed Twig template to bypass security policy restrictions by exploiting object-destructuring assignment to read any public property or invoke any public getter on objects passed to the template engine.

twig/twig twig sandbox-bypass cve-2026-46639

1r 1t 1h ago