Symfony

Twig sandbox bypassed via a single quote in template name

CVE-2026-46633 in Twig lets a single quote in a template name inject arbitrary PHP into the cache file. Twig sandbox does not block it. Fixed in Twig 3.26.0.