CVE-2026-46633

Name of the Vulnerable Software and Affected Versions Twig (affected versions not specified)

Description The Compiler::string() function fails to escape single quotes when generating PHP double-quoted string literals. In ModuleNode::compileConstructor(), template names from a {% use %} tag are processed via subcompile() and string(), then placed within a PHP single-quoted string literal. A template name containing a single quote can terminate the string prematurely, allowing the injection of arbitrary PHP expressions into the compiled cache file. This leads to remote code execution within the PHP process when the cache file is loaded, bypassing the Twig sandbox because SecurityPolicy allows the {% use %} tag regardless of the allowedTags configuration.

Recommendations Update to the version where Compiler::string() escapes single quotes to prevent template names from breaking out of the surrounding PHP literals.