Description
Twig is a template language for PHP. From 3.9.0 until 3.26.0, template_from_string() compiles an inner template under a synthesized __string_template__<hash> name that can fall outside a SourcePolicyInterface sandbox decision, allowing a sandboxed template that can call template_from_string and include to render an inner template without security policy enforcement. This issue is fixed in version 3.26.0.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
Debian DSA |
DSA-6311-1 | php-twig security update |
Github GHSA |
GHSA-24x9-r6q4-q93w | Twig: `template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name |
References
History
Tue, 14 Jul 2026 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Twig is a template language for PHP. From 3.9.0 until 3.26.0, template_from_string() compiles an inner template under a synthesized __string_template__<hash> name that can fall outside a SourcePolicyInterface sandbox decision, allowing a sandboxed template that can call template_from_string and include to render an inner template without security policy enforcement. This issue is fixed in version 3.26.0. | |
| Title | Twig: `template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name | |
| Weaknesses | CWE-693 | |
| References |
| |
| Metrics |
cvssV4_0
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-14T21:19:17.804Z
Reserved: 2026-05-15T20:11:54.583Z
Link: CVE-2026-46634
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses
-
CWE-693
Protection Mechanism Failure
Debian DSA
Github GHSA