(Twig), Code Injection, CVE-2026-46633 (Critical)

Listen to this Post

How the mentioned CVE works (around 20 lines):

`Compiler::string()` escapes characters ", $, \, NUL and TAB when generating PHP double‑quoted string literals, but does not escape single quotes. In ModuleNode::compileConstructor(), the template name from a `{% use %}` tag is compiled via `subcompile() -> string()` and placed inside a surrounding PHP single‑quoted string literal. A template name containing a single quote terminates that surrounding string early, allowing arbitrary PHP expressions to be injected into the compiled cache file. The injected code executes within the PHP process when the cache file is first loaded, bypassing the Twig sandbox entirely and achieving remote code execution. `SecurityPolicy` unconditionally allows `{% use %}` regardless of the configured allowedTags, so this primitive is reachable from sandboxed templates as well. The resolution makes `Compiler::string()` also escape single quotes so that template names placed inside single‑quoted PHP literals can no longer break out of the surrounding context.

DailyCVE form:

Platform: Twig (PHP)
Version: <3.26.0
Vulnerability: RCE
Severity: Critical
date: 2026‑05‑20

Prediction: 2026‑05‑20

Analytics

What Undercode Say:

Check Twig version:

php -r "echo Twig\Environment::VERSION;"

Patch update command (using Composer):

composer require twig/twig:^3.26.0

Verify escaping of single quotes in `Compiler::string()`:

$compiler->string("malicious' . payload . '");

Monitor for suspicious `{% use %}` tags in logs:

grep -r "{% use" templates/ | grep "'" | awk '{print}'

Exploit:

A malicious template name containing a single quote can break the PHP single‑quoted string and inject arbitrary code. Example:

template_name = "malicious'. system('id'); //"

When compiled, the cache file contains:

'...malicious' . system('id'); //...'

On loading, `system(‘id’)` executes, achieving RCE.

Protection from this CVE:

  • Upgrade to Twig v3.26.0 or later immediately.
  • If you cannot upgrade, manually patch `Compiler::string()` to also escape single quotes (unlikely to be backported).
  • Avoid using `{% use %}` tags in sandboxed environments until upgraded.

Impact:

  • Remote Code Execution (RCE) in the PHP process – full server compromise.
  • Complete bypass of Twig sandbox – sandboxed templates become a direct gateway to RCE.
  • Attacker can read/write files, execute OS commands, pivot within the infrastructure.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top