PatchSiren cyber security CVE debrief
CVE-2026-46627 twigphp CVE debrief
CVE-2026-46627 is a high-severity vulnerability in the Twig template language for PHP. The vulnerability allows untrusted templates to cause resource exhaustion, consuming CPU, memory, or wall-clock time, even under the strictest allow-list. This issue was addressed in version 3.26.0 by documenting that the sandbox does not protect against resource exhaustion. Affected users should review and update their Twig installations to prevent potential resource exhaustion attacks.
- Vendor
- twigphp
- Product
- Twig
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-14
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-14
- Advisory updated
- 2026-07-16
Who should care
Users of Twig template language for PHP, especially those using versions prior to 3.26.0, should be aware of this vulnerability and take necessary precautions to prevent resource exhaustion attacks. This includes updating to the latest version and implementing additional security measures.
Technical summary
The Twig template language for PHP has a high-severity vulnerability, CVE-2026-46627, which allows untrusted templates to cause resource exhaustion by consuming CPU, memory, or wall-clock time. This occurs even under the strictest allow-list in the Twig sandbox. The issue was addressed in version 3.26.0 by documenting that the sandbox does not protect against resource exhaustion. Affected users should review and update their Twig installations to prevent potential resource exhaustion attacks. The vulnerability has a CVSS score of 7.1 and is classified as HIGH severity.
Defensive priority
High priority should be given to updating Twig to version 3.26.0 or later, as well as implementing additional security measures to prevent resource exhaustion attacks. This should be part of a comprehensive vulnerability management plan to ensure the security of affected systems.
Recommended defensive actions
- Update Twig to version 3.26.0 or later
- Implement additional security measures to prevent resource exhaustion attacks
- Monitor template usage and resource consumption
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-07-14T22:16:54.700Z and was last modified on 2026-07-16T03:12:12.847Z. The NVD entry is currently Analyzed. This information is based on the provided source corpus. Further verification is recommended to ensure accuracy.
Official resources
-
CVE-2026-46627 CVE record
CVE.org
-
CVE-2026-46627 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T22:16:54.700Z and has not been modified since then. The NVD entry is currently Analyzed.