Dual Sandbox Bypasses Threaten PHP Applications

Maintainers of the Twig template language for PHP have released urgent security updates. The fixes resolve two critical Twig RCE flaws that allow complete sandbox escapes. Specifically, unauthenticated attackers can exploit these vulnerabilities to inject and execute arbitrary PHP code on host servers. Consequently, web development teams must audit their application dependencies immediately to avoid potential server takeovers.

CVE-2026-46640: Macro Compilation Breakdown

The first critical flaw involves how the template engine compiles dynamic attributes. Tracked as CVE-2026-46640, the issue targets the obj.(expr) dynamic-attribute syntax introduced in version 3.15.0.

When the receiver points to _self and the expression uses a string literal, the parser short-circuits its normal validation. Furthermore, it concatenates the user-controlled string straight into a macro reference name. The compiler then emits this unvalidated name directly into the generated PHP source code. As a result, attackers who can supply template source can execute malicious commands during template load time. This completely bypasses the configured SandboxExtension protections.

CVE-2026-46633: Single Quote Escape Failure

Additionally, researchers discovered a secondary injection vector inside the template layout engine. Designated as CVE-2026-46633, this bug stems from an escaping oversight in the string compiler.

Specifically, the core compiler safely escapes double quotes, backslashes, and null bytes. However, it completely fails to escape single quotes. When compiling a {% use %} tag, the compiler places the template name inside a single-quoted PHP literal within the compiled cache file. Therefore, a malicious template name containing a single quote breaks out of the surrounding context. This flaw permits arbitrary PHP expressions to load directly into the application cache.

Urgent Upgrade Instructions

Fortunately, remediating these critical Twig RCE flaws requires only a straightforward software update. The development team fixed both bugs by adding strict validation checks and escaping routines to the compiler layer.

• Vulnerable Versions: Systems running any version below 3.26.0 are explicitly exposed to these exploits.
• Patched Version: Organizations must upgrade to Twig version 3.26.0 immediately to secure their environments.

Ultimately, proactive dependency management prevents devastating supply-chain compromises. Both system administrators and application security engineers should deploy this patch today to keep corporate perimeters secure.