CVE-2026-46629

Source
https://cve.org/CVERecord?id=CVE-2026-46629
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46629.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-46629
Aliases
Downstream
Published
2026-07-14T21:22:15.595Z
Modified
2026-07-17T03:46:17.069589633Z
Severity
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
Twig: Unbounded formatter memoisation in twig/intl-extra keyed on template-controlled arguments
Details

Twig is a template language for PHP. Prior to 3.26.0, twig/intl-extra memoises IntlDateFormatter and NumberFormatter instances in arrays keyed by template-controlled filter arguments such as locale, pattern, and attrs, allowing a template to allocate many ICU formatter objects that remain pinned for the lifetime of the Twig\Environment. This issue is fixed in version 3.26.0.

Database specific
{
    "cwe_ids": [
        "CWE-770"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46629.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/twigphp/twig

Affected ranges

Type
GIT
Repo
https://github.com/twigphp/twig
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:symfony:twig:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.26.0"
        }
    ],
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

v0.*
v0.9.0
v0.9.1
v0.9.10
v0.9.2
v0.9.4
v0.9.5
v0.9.6
v0.9.7
v0.9.8
v0.9.9
v1.*
v1.0.0
v1.0.0-RC1
v1.0.0-RC2
v1.1.0
v1.1.0-RC1
v1.1.0-RC2
v1.1.0-RC3
v1.1.1
v1.1.2
v1.10.0
v1.10.1
v1.10.2
v1.10.3
v1.11.0
v1.11.1
v1.12.0
v1.12.0-RC1
v1.12.1
v1.12.2
v1.12.3
v1.13.0
v1.13.1
v1.13.2
v1.14.0
v1.14.1
v1.14.2
v1.15.0
v1.15.1
v1.16.0
v1.16.1
v1.16.2
v1.16.3
v1.17.0
v1.18.0
v1.2.0
v1.2.0-RC1
v1.3.0
v1.3.0-RC1
v1.4.0
v1.4.0-RC1
v1.4.0-RC2
v1.5.0
v1.5.0-RC1
v1.5.0-RC2
v1.5.1
v1.6.0
v1.6.1
v1.6.2
v1.6.3
v1.6.4
v1.7.0
v1.8.0
v1.8.1
v1.8.2
v1.8.3
v1.9.0
v1.9.1
v1.9.2
v2.*
v2.0.0
v2.1.0
v2.2.0
v2.3.0
v2.3.1
v2.3.2
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.4.7
v2.4.8
v2.5.0
v2.6.0
v2.6.1
v2.6.2
v2.7.0
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.8.0
v2.8.1
v3.*
v3.0.0
v3.0.0-BETA1
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.1.0
v3.1.1
v3.10.0
v3.10.1
v3.10.2
v3.10.3
v3.11.0
v3.12.0
v3.13.0
v3.14.0
v3.15.0
v3.16.0
v3.17.0
v3.17.1
v3.18.0
v3.19.0
v3.2.1
v3.20.0
v3.21.0
v3.21.1
v3.22.0
v3.22.1
v3.22.2
v3.23.0
v3.24.0
v3.25.0
v3.3.0
v3.3.1
v3.3.10
v3.3.2
v3.3.3
v3.3.4
v3.3.5
v3.3.6
v3.3.7
v3.3.8
v3.3.9
v3.4.0
v3.4.1
v3.4.2
v3.4.3
v3.5.0
v3.5.1
v3.6.0
v3.6.1
v3.7.0
v3.7.1
v3.8.0
v3.9.0
v3.9.1
v3.9.2
v3.9.3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46629.json"