Twig sandbox bypassed via a single quote in template name

CVE-2026-46633 is a PHP code injection vulnerability in Twig that bypasses the sandbox entirely. The fix landed in Twig 3.26.0 on May 20. If you render Twig templates with any user-controlled template name, this is a same-day patch.

The vulnerability sits in Compiler::string(). When Twig compiles a {% use %} tag, it places the template name inside a PHP single-quoted string literal in the generated cache file. The compiler escaped double quotes, $, backslashes, NUL, and TAB -- but not single quotes. A template name containing a ' character terminates the surrounding string literal early. Arbitrary PHP expressions land in the cache file and run the next time it is loaded.

Why the sandbox does not help

Twig's SecurityPolicy governs what tags, filters, and functions are permitted inside sandboxed templates. It does not restrict {% use %} tags. A sandboxed template that passes a user-controlled value as a template name to {% use %} is fully exploitable. The sandbox gives no protection here.

The fix is a one-line change: Compiler::string() now escapes single quotes to \x27.

Related vulnerability: CVE-2026-46640

Twig 3.26.0 fixes a second related injection issue: CVE-2026-46640 covers PHP code execution via macro reference compilation (_self.(<string>)). The attack surface is different but the underlying class of problem is the same -- unsanitized user input reaching the PHP code generator. If you are evaluating exposure, check both.

In total, Twig 3.26.0 addresses 13 CVEs. The two PHP injection vulnerabilities are the highest impact.

Who is exposed

The direct exposure condition: your application passes user-controlled input as a template name to {% use %} in any Twig template, sandboxed or not.

Broader exposure: Symfony-based applications and Drupal sites using third-party modules that accept template names from request parameters. Many CMS plugin ecosystems do this without the downstream developer realizing the template name is user-controlled.

Update path

# Check current version
composer show twig/twig
 
# Update
composer require "twig/twig:^3.26"

After updating, clear the Twig cache. Compiled cache files from before the patch may still contain injected code if exploitation occurred before the update.

# Symfony
php bin/console cache:clear
 
# Or delete the cache directory directly
rm -rf var/cache/

For a broader look at how injection chains can escalate through framework components, see Ollama CVE-2026-7482 for a comparable RCE disclosure pattern.

Sources: Symfony blog -- CVE-2026-46633; Twig 3.26.0 release; CVE-2026-46640 advisory