PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46629 twigphp CVE debrief

The CVE record for CVE-2026-46629 was published on 2026-07-14T22:16:55.860Z and has not been modified since then. The vulnerability affects Twig template language for PHP prior to version 3.26.0, allowing a template to allocate many ICU formatter objects that remain pinned for the lifetime of the Twig Environment. This issue is fixed in version 3.26.0. Users of affected systems should review and update their configurations to prevent potential exploitation.

Vendor
twigphp
Product
Twig
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-14
Original CVE updated
2026-07-16
Advisory published
2026-07-14
Advisory updated
2026-07-16

Who should care

Users of Twig template language for PHP prior to version 3.26.0, system administrators, security teams, and developers using Twig in their applications should be aware of this vulnerability and take steps to upgrade to the latest version. Affected systems may be vulnerable to denial of service attacks.

Technical summary

Twig is a template language for PHP. Prior to 3.26.0, twig/intl-extra memoises IntlDateFormatter and NumberFormatter instances in arrays keyed by template-controlled filter arguments such as locale, pattern, and attrs, allowing a template to allocate many ICU formatter objects that remain pinned for the lifetime of the Twig Environment. This issue is fixed in version 3.26.0. Affected systems using Twig template language for PHP prior to version 3.26.0 should be reviewed for potential exposure.

Defensive priority

Medium priority due to CVSS score of 5.3 and potential for denial of service.

Recommended defensive actions

  • Upgrade to Twig version 3.26.0 or later
  • Review and update affected systems and applications
  • Monitor for potential exploitation attempts
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

Evidence is based on official CVE and NVD records, as well as vendor advisories and patch information. The CVE record was published on 2026-07-14T22:16:55.860Z and has not been modified since then. Affected systems using Twig template language for PHP prior to version 3.26.0 should be reviewed for potential exposure. Defenders should verify the presence of updated versions and review system configurations for potential vulnerabilities.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T22:16:55.860Z and has not been modified since then.