CVE-2026-46640: Twig: Arbitrary PHP code execution via `_self.(<string>)` macro-reference compilation
(updated )
The obj.(expr) dynamic-attribute syntax (added in 3.15.0 as the replacement for the deprecated attribute() function) lets the attribute be an arbitrary expression. When the receiver is _self (or any {% import %} alias) and the parenthesised expression is a string literal, DotExpressionParser short-circuits to the macro-call path and concatenates the attacker-controlled string into a MacroReferenceExpression name with no identifier validation. MacroReferenceExpression::compile() then emits that name raw into the generated PHP source.
An attacker who can supply template source can inject arbitrary PHP into the compiled template and execute it at template-load time, before checkSecurity() is ever called. This is a complete bypass of SandboxExtension, including a globally-enabled sandbox with an empty SecurityPolicy allowlist.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2026-46640.yaml
- github.com/advisories/GHSA-45vw-wh46-2vx8
- github.com/twigphp/Twig/security/advisories/GHSA-45vw-wh46-2vx8
- github.com/vladko312/extras/blob/main/CVE-2026-46640.py
- nvd.nist.gov/vuln/detail/CVE-2026-46640
- symfony.com/cve-2026-46640
Code Behaviors & Features
Detect and mitigate CVE-2026-46640 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →