{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/twig/twig--3.26.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["twig/twig (\u003c 3.26.0)"],"_cs_severities":["critical"],"_cs_tags":["code-injection","twig","rce"],"_cs_type":"advisory","_cs_vendors":["Composer"],"content_html":"\u003cp\u003eA critical code injection vulnerability, tracked as CVE-2026-46633, affects Twig versions before 3.26.0. The vulnerability stems from insufficient escaping of single quotes within the \u003ccode\u003eCompiler::string()\u003c/code\u003e function when handling template names in \u003ccode\u003e{% use %}\u003c/code\u003e tags. Specifically, the \u003ccode\u003eCompiler::string()\u003c/code\u003e function escapes characters like \u003ccode\u003e\u0026quot;\u003c/code\u003e and \u003ccode\u003e$\u003c/code\u003e but fails to escape single quotes, which are later used within a PHP single-quoted string literal in \u003ccode\u003eModuleNode::compileConstructor()\u003c/code\u003e. This oversight allows an attacker to inject arbitrary PHP code by including a single quote in the template name passed to the \u003ccode\u003e{% use %}\u003c/code\u003e tag. The injected code is then executed when the compiled Twig cache file is loaded, bypassing the configured \u003ccode\u003eSecurityPolicy\u003c/code\u003e and leading to remote code execution. The \u003ccode\u003e{% use %}\u003c/code\u003e tag is unconditionally allowed regardless of the \u003ccode\u003eallowedTags\u003c/code\u003e configuration, making this vulnerability reachable even from sandboxed templates.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious Twig template containing a \u003ccode\u003e{% use %}\u003c/code\u003e tag.\u003c/li\u003e\n\u003cli\u003eThe template name within the \u003ccode\u003e{% use %}\u003c/code\u003e tag includes a single quote followed by arbitrary PHP code, e.g., \u003ccode\u003e{% use 'x' . phpinfo() . 'y' %}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Twig template is rendered using a vulnerable version of Twig (\u0026lt;3.26.0).\u003c/li\u003e\n\u003cli\u003eDuring compilation, the \u003ccode\u003eModuleNode::compileConstructor()\u003c/code\u003e function processes the \u003ccode\u003e{% use %}\u003c/code\u003e tag and uses \u003ccode\u003eCompiler::string()\u003c/code\u003e to escape the template name.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eCompiler::string()\u003c/code\u003e fails to escape the single quote, allowing the attacker to break out of the surrounding PHP single-quoted string literal.\u003c/li\u003e\n\u003cli\u003eThe malicious PHP code is written into the compiled Twig cache file.\u003c/li\u003e\n\u003cli\u003eThe compiled Twig cache file is loaded by the PHP engine during subsequent template renderings.\u003c/li\u003e\n\u003cli\u003eThe injected PHP code executes within the PHP process, bypassing the Twig sandbox and achieving remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to execute arbitrary PHP code on the server hosting the Twig application. Given that the Twig sandbox is bypassed, attackers can perform a wide range of malicious actions, including reading sensitive files, modifying application data, and potentially gaining full control of the server. This vulnerability affects applications using Twig versions prior to 3.26.0.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Twig version 3.26.0 or later to patch CVE-2026-46633.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect potential exploitation attempts by monitoring for the \u003ccode\u003euse\u003c/code\u003e tag containing a single quote (\u0026rsquo;).\u003c/li\u003e\n\u003cli\u003eReview existing Twig templates for any instances of user-controlled input being used in \u003ccode\u003e{% use %}\u003c/code\u003e tags and sanitize the input to prevent code injection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-21T21:26:07Z","date_published":"2026-05-21T21:26:07Z","id":"https://feed.craftedsignal.io/briefs/2026-05-twig-code-injection/","summary":"A code injection vulnerability (CVE-2026-46633) exists in Twig versions prior to 3.26.0, where a single quote in the `{% use %}` template name is not properly escaped, allowing arbitrary PHP code execution by bypassing the Twig sandbox.","title":"Twig: PHP Code Injection via `{% use %}` Template Name (CVE-2026-46633)","url":"https://feed.craftedsignal.io/briefs/2026-05-twig-code-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Twig/Twig (\u003c 3.26.0)","version":"https://jsonfeed.org/version/1.1"}