PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46627 twigphp CVE debrief

CVE-2026-46627 is a high-severity vulnerability in the Twig template language for PHP. The vulnerability allows untrusted templates to cause resource exhaustion, consuming CPU, memory, or wall-clock time, even under the strictest allow-list. This issue was addressed in version 3.26.0 by documenting that the sandbox does not protect against resource exhaustion. Affected users should review and update their Twig installations to prevent potential resource exhaustion attacks.

Vendor
twigphp
Product
Twig
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-14
Original CVE updated
2026-07-16
Advisory published
2026-07-14
Advisory updated
2026-07-16

Who should care

Users of Twig template language for PHP, especially those using versions prior to 3.26.0, should be aware of this vulnerability and take necessary precautions to prevent resource exhaustion attacks. This includes updating to the latest version and implementing additional security measures.

Technical summary

The Twig template language for PHP has a high-severity vulnerability, CVE-2026-46627, which allows untrusted templates to cause resource exhaustion by consuming CPU, memory, or wall-clock time. This occurs even under the strictest allow-list in the Twig sandbox. The issue was addressed in version 3.26.0 by documenting that the sandbox does not protect against resource exhaustion. Affected users should review and update their Twig installations to prevent potential resource exhaustion attacks. The vulnerability has a CVSS score of 7.1 and is classified as HIGH severity.

Defensive priority

High priority should be given to updating Twig to version 3.26.0 or later, as well as implementing additional security measures to prevent resource exhaustion attacks. This should be part of a comprehensive vulnerability management plan to ensure the security of affected systems.

Recommended defensive actions

  • Update Twig to version 3.26.0 or later
  • Implement additional security measures to prevent resource exhaustion attacks
  • Monitor template usage and resource consumption
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-14T22:16:54.700Z and was last modified on 2026-07-16T03:12:12.847Z. The NVD entry is currently Analyzed. This information is based on the provided source corpus. Further verification is recommended to ensure accuracy.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T22:16:54.700Z and has not been modified since then. The NVD entry is currently Analyzed.