UBUNTU-CVE-2026-46635
A vulnerability in the Twig PHP template language prior to version 3.26.0 allows an untrusted template author to read object properties that are not in the sandbox allowlist. This occurs because the column filter passes object arrays to PHP's array_column() function, which accesses public and magic properties without sandbox checks. The issue is fixed in Twig version 3.26.0.
AI Analysis
Technical Summary
Twig versions before 3.26.0 have a security flaw where the column filter uses PHP's array_column() on object arrays, bypassing sandbox property access controls such as CoreExtension::getAttribute() and SandboxExtension::checkPropertyAllowed(). This allows an untrusted template author with the column filter enabled in allowedFilters to access object properties outside the sandbox allowlist. The vulnerability is resolved in Twig 3.26.0.
Potential Impact
An untrusted template author can read object properties that should be restricted by the sandbox, potentially exposing sensitive data not intended for template access. This bypasses sandbox property restrictions but does not escalate privileges or allow code execution. There are no known exploits in the wild.
Mitigation Recommendations
This vulnerability is fixed in Twig version 3.26.0. Users should upgrade to version 3.26.0 or later to remediate the issue. No other mitigation or temporary workaround is indicated.
UBUNTU-CVE-2026-46635
Description
A vulnerability in the Twig PHP template language prior to version 3.26.0 allows an untrusted template author to read object properties that are not in the sandbox allowlist. This occurs because the column filter passes object arrays to PHP's array_column() function, which accesses public and magic properties without sandbox checks. The issue is fixed in Twig version 3.26.0.
CVSS v4.0
Affected software
pkg:deb/ubuntu/[email protected]~esm2?arch=source&distro=esm-apps/focalpkg:deb/ubuntu/[email protected]+esm2?arch=source&distro=esm-apps/jammypkg:deb/ubuntu/[email protected]+esm1?arch=source&distro=esm-apps/noblepkg:deb/ubuntu/[email protected]?arch=source&distro=questingpkg:deb/ubuntu/[email protected]~esm1?arch=source&distro=esm-apps/resoluteRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Twig versions before 3.26.0 have a security flaw where the column filter uses PHP's array_column() on object arrays, bypassing sandbox property access controls such as CoreExtension::getAttribute() and SandboxExtension::checkPropertyAllowed(). This allows an untrusted template author with the column filter enabled in allowedFilters to access object properties outside the sandbox allowlist. The vulnerability is resolved in Twig 3.26.0.
Potential Impact
An untrusted template author can read object properties that should be restricted by the sandbox, potentially exposing sensitive data not intended for template access. This bypasses sandbox property restrictions but does not escalate privileges or allow code execution. There are no known exploits in the wild.
Mitigation Recommendations
This vulnerability is fixed in Twig version 3.26.0. Users should upgrade to version 3.26.0 or later to remediate the issue. No other mitigation or temporary workaround is indicated.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- UBUNTU-CVE-2026-46635
- Osv Schema Version
- 1.7.0
- Aliases
- []
- Ecosystems
- ["Ubuntu:Pro:20.04:LTS","Ubuntu:Pro:22.04:LTS","Ubuntu:Pro:24.04:LTS","Ubuntu:25.10","Ubuntu:Pro:26.04:LTS"]
- Database Specific Severity
- null
- Cvss Version
- 4.0
Threat ID: 6a58b4a068715ace43da8d44
Added to database: 07/16/2026, 10:38:24 UTC
Last enriched: 07/16/2026, 12:30:26 UTC
Last updated: 07/16/2026, 12:30:26 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.