Vulnerabilities
Vulnerable Software

Vulnerability Details CVE-2026-46640

Twig is a template language for PHP. From 3.15.0 until 3.26.0, _self.(<string>) and import-alias dynamic attribute syntax can concatenate an attacker-controlled string into a MacroReferenceExpression name without identifier validation, causing raw PHP to be emitted into the generated template source and executed at template-load time. This issue is fixed in version 3.26.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 32.8%
CVSS Severity
CVSS v3 Score 8.8
Products affected by CVE-2026-46640
  • Symfony » Twig » Version: 3.15.0
    cpe:2.3:a:symfony:twig:3.15.0
  • Symfony » Twig » Version: 3.16.0
    cpe:2.3:a:symfony:twig:3.16.0
  • Symfony » Twig » Version: 3.17.0
    cpe:2.3:a:symfony:twig:3.17.0
  • Symfony » Twig » Version: 3.17.1
    cpe:2.3:a:symfony:twig:3.17.1
  • Symfony » Twig » Version: 3.18.0
    cpe:2.3:a:symfony:twig:3.18.0
  • Symfony » Twig » Version: 3.19.0
    cpe:2.3:a:symfony:twig:3.19.0
  • Symfony » Twig » Version: 3.20.0
    cpe:2.3:a:symfony:twig:3.20.0
  • Symfony » Twig » Version: 3.21.0
    cpe:2.3:a:symfony:twig:3.21.0
  • Symfony » Twig » Version: 3.21.1
    cpe:2.3:a:symfony:twig:3.21.1
  • Symfony » Twig » Version: 3.22.0
    cpe:2.3:a:symfony:twig:3.22.0
  • Symfony » Twig » Version: 3.22.1
    cpe:2.3:a:symfony:twig:3.22.1
  • Symfony » Twig » Version: 3.22.2
    cpe:2.3:a:symfony:twig:3.22.2
  • Symfony » Twig » Version: 3.23.0
    cpe:2.3:a:symfony:twig:3.23.0
  • Symfony » Twig » Version: 3.24.0
    cpe:2.3:a:symfony:twig:3.24.0
  • Symfony » Twig » Version: 3.25.0
    cpe:2.3:a:symfony:twig:3.25.0


Contact Us

Shodan ® - All rights reserved