CYBERSIXT Signal Over Noise
securityonline.info 5/27/2026, 2:09:01 AM · external

Critical Twig template flaws let attackers run arbitrary PHP code

Critical Twig template flaws let attackers run arbitrary PHP code
CyberSIXT Evidence Panel
Primary Source github.com
CVE Intel
CVE-2026-46640 - NVD Not in KEV 0 Patch Unknown
CVE-2026-46633 - NVD Not in KEV 0 Patch Unknown
CISA KEV Not in KEV
Patch Patch Status Unknown

THIS alert outlines critical vulnerabilities in the Twig template language for PHP, specifically two remote code execution flaws: CVE-2026-46640 and CVE-2026-46633. CVE-2026-46640 involves a flaw in compiling dynamic attributes that can allow attackers to bypass security measures and execute arbitrary PHP code. CVE-2026-46633 arises from improper escaping of single quotes in the template compiler, which can lead to arbitrary expressions being loaded. To mitigate these issues, users are urged to upgrade to Twig version 3.26.0 or higher as soon as possible.

View Primary Source Via securityonline.info

Article by CyberSIXT