CVE-2026-46640

Name of the Vulnerable Software and Affected Versions Twig versions prior to 3.15.0

Description The obj.(expr) dynamic-attribute syntax allows the attribute to be an arbitrary expression. When the receiver is self (or any {% import %} alias) and the parenthesised expression is a string literal, the DotExpressionParser short-circuits to the macro-call path and concatenates the attacker-controlled string into a MacroReferenceExpression name without identifier validation. Subsequently, MacroReferenceExpression::compile() emits that name raw into the generated PHP source. An attacker capable of supplying template source can inject and execute arbitrary PHP into the compiled template during template-load time, occurring before checkSecurity() is called. This results in a complete bypass of the SandboxExtension, even when a globally-enabled sandbox with an empty SecurityPolicy allowlist is used.

Recommendations Update to a version where the parser validates that the dynamic attribute resolves to a valid macro identifier before routing through MacroReferenceExpression and the macro-reference compiler emits the name through a properly escaped path.