Twig sandbox bypass and PHP code injection via _self dynamic attribute macro reference
CVE-2026-46640 is a critical Twig sandbox bypass in the PHP template engine affecting dynamic attribute compilation for the obj.(expr) syntax introduced in Twig 3.15.0. When the receiver is _self and the dynamic attribute expression is a string literal, Twig's parser/compiler takes a macro-reference path that short-circuits normal validation. In the vulnerable flow, a user-controlled string is concatenated into a macro reference name and emitted into generated PHP source without proper validation/escaping. As a result, an attacker who can supply Twig template source can inject arbitrary PHP into the compiled template. The injected code can execute during template load/compilation before checkSecurity() is enforced, resulting in a complete escape from SandboxExtension protections.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
SecurityPolicy allowlists. This can lead to full application compromise, access to sensitive data available to the PHP process, server-side command execution, persistence, and follow-on lateral movement depending on the privileges of the web/application runtime.Mitigation
If you can’t patch tonight, do this now.
_self.(...) dynamic-attribute macro-reference behavior to attacker-controlled input. Review applications for any feature that renders user-provided Twig templates or fragments, and disable or isolate such functionality until patched. No complete workaround was provided by the vendor.Remediation
Patch, then assume compromise.
php-twig to 3.27.0-0+deb13u1 or later as referenced in the advisory.Exploits
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Recent activity
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Twig sandbox bypass vulnerability described as universally exploitable, with payload development documented in the referenced writeup.
A critical Twig remote code execution vulnerability caused by improper validation during macro compilation of dynamic attributes, enabling sandbox escape and arbitrary PHP code execution.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.