Product

Twig/Twig (< 3.26.0)

1 brief RSS

Twig: PHP Code Injection via `{% use %}` Template Name (CVE-2026-46633)

A code injection vulnerability (CVE-2026-46633) exists in Twig versions prior to 3.26.0, where a single quote in the `{% use %}` template name is not properly escaped, allowing arbitrary PHP code execution by bypassing the Twig sandbox.

twig/twig code-injection twig rce

2r 1t 54m ago