GHSA-24x9-r6q4-q93w

Source

https://github.com/advisories/GHSA-24x9-r6q4-q93w

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-24x9-r6q4-q93w/GHSA-24x9-r6q4-q93w.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-24x9-r6q4-q93w

Aliases

CVE-2026-46634

Related

CGA-wv5f-4rvf-m364

Published

2026-05-21T21:25:12Z

Modified

2026-05-22T22:44:48.132713282Z

Summary

Twig: `template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name

Details

Description

When the sandbox is enabled selectively via SourcePolicyInterface (and not globally), a sandboxed template that is allowed to call template_from_string and include can render an arbitrary inner template with no security policy enforcement.

Environment::createTemplate() compiles the inner string under a synthesized name (__string_template__<hash>), so a name/path-based SourcePolicy returns false for it, and the inner template's checkSecurity() becomes a no-op. From a template the integrator believes is sandboxed, an attacker can use any tag/filter/function (including constant() to read secrets, or |map("system") to execute shell commands).

Resolution

This is a configuration trap rather than a code bug: there is no legitimate use case for exposing template_from_string to untrusted template authors, and propagating the parent sandbox state through template_from_string would require invasive changes to SourcePolicyInterface semantics with their own risks.

Starting with Twig 3.26.0, the documentation and the PHPDoc of StringLoaderExtension::templateFromString() explicitly warn against allowing template_from_string in a sandboxed environment (i.e. listing it in a SecurityPolicy allowed-functions list). Integrators using a SourcePolicyInterface MUST NOT allow template_from_string in their allowed functions; the safest option is not to register StringLoaderExtension at all when a sandbox is in use.

Credits

Twig would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue.

Database specific

{
    "cwe_ids": [
        "CWE-693"
    ],
    "github_reviewed": true,
    "nvd_published_at": null,
    "github_reviewed_at": "2026-05-21T21:25:12Z",
    "severity": "MODERATE"
}

References

Affected packages

Packagist / twig/twig

Package

Name: twig/twig
Purl: pkg:composer/twig%2Ftwig

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.9.0

Fixed

3.26.0

Affected versions

v3.*

v3.9.0

v3.9.1

v3.9.2

v3.9.3

v3.10.0

v3.10.1

v3.10.2

v3.10.3

v3.11.0

v3.11.1

v3.11.2

v3.11.3

v3.12.0

v3.13.0

v3.14.0

v3.14.1

v3.14.2

v3.15.0

v3.16.0

v3.17.0

v3.17.1

v3.18.0

v3.19.0

v3.20.0

v3.21.0

v3.21.1

v3.22.0

v3.22.1

v3.22.2

v3.23.0

v3.24.0

v3.25.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-24x9-r6q4-q93w/GHSA-24x9-r6q4-q93w.json"