CVE-2026-46634

Name of the Vulnerable Software and Affected Versions Twig versions prior to 3.26.0

Description When a sandbox is enabled selectively via SourcePolicyInterface rather than globally, a sandboxed template permitted to use template from string and include can render an arbitrary inner template without security policy enforcement. This occurs because Environment::createTemplate() compiles the inner string using a synthesized name ( string template <hash>), causing a name or path-based SourcePolicy to return false and rendering the inner template's checkSecurity() function ineffective. An attacker can then utilize any tag, filter, or function, such as constant() to access secrets or |map("system") to execute shell commands.

Recommendations Update to version 3.26.0 or later. Do not allow template from string in the SecurityPolicy allowed-functions list when using a SourcePolicyInterface. As a mitigation measure, avoid registering StringLoaderExtension when a sandbox is in use.