UBUNTU-CVE-2026-46639
A vulnerability in the Twig PHP template engine versions from 3.24.0 up to but not including 3.26.0 allows an attacker with write access to a sandboxed Twig template to bypass property and method policy checks. This occurs because object-destructuring assignment compiles CoreExtension::getAttribute() with the sandbox argument hardcoded to false, disabling security checks. The issue is fixed in version 3.26.0. Multiple Ubuntu package versions of php-twig are affected.
AI Analysis
Technical Summary
Twig versions 3.24.0 through 3.25.x have a vulnerability where object-destructuring assignment disables sandbox security checks by hardcoding the sandbox argument to false in CoreExtension::getAttribute(). This allows an attacker who can write to a sandboxed Twig template to read public properties or invoke public getters on objects passed to the template engine, potentially exposing sensitive data. The vulnerability is resolved in Twig 3.26.0. Several Ubuntu package versions of php-twig, including those for Ubuntu Pro LTS releases and Ubuntu 25.10, are affected.
Potential Impact
An attacker with write access to a sandboxed Twig template can bypass sandbox restrictions to read public properties or invoke public getters on objects passed to the template engine. This could lead to unauthorized disclosure of information within the application context. There is no indication of privilege escalation or remote code execution. No known exploits in the wild have been reported.
Mitigation Recommendations
Upgrade affected php-twig packages to version 3.26.0 or later where the vulnerability is fixed. Since this is a code-level vulnerability in the Twig template engine, patching to the fixed version is the recommended remediation. Patch status is confirmed fixed in 3.26.0. No other mitigations are indicated.
UBUNTU-CVE-2026-46639
Description
A vulnerability in the Twig PHP template engine versions from 3.24.0 up to but not including 3.26.0 allows an attacker with write access to a sandboxed Twig template to bypass property and method policy checks. This occurs because object-destructuring assignment compiles CoreExtension::getAttribute() with the sandbox argument hardcoded to false, disabling security checks. The issue is fixed in version 3.26.0. Multiple Ubuntu package versions of php-twig are affected.
CVSS v4.0
Affected software
pkg:deb/ubuntu/[email protected]~esm2?arch=source&distro=esm-apps/focalpkg:deb/ubuntu/[email protected]+esm2?arch=source&distro=esm-apps/jammypkg:deb/ubuntu/[email protected]+esm1?arch=source&distro=esm-apps/noblepkg:deb/ubuntu/[email protected]?arch=source&distro=questingpkg:deb/ubuntu/[email protected]~esm1?arch=source&distro=esm-apps/resoluteRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Twig versions 3.24.0 through 3.25.x have a vulnerability where object-destructuring assignment disables sandbox security checks by hardcoding the sandbox argument to false in CoreExtension::getAttribute(). This allows an attacker who can write to a sandboxed Twig template to read public properties or invoke public getters on objects passed to the template engine, potentially exposing sensitive data. The vulnerability is resolved in Twig 3.26.0. Several Ubuntu package versions of php-twig, including those for Ubuntu Pro LTS releases and Ubuntu 25.10, are affected.
Potential Impact
An attacker with write access to a sandboxed Twig template can bypass sandbox restrictions to read public properties or invoke public getters on objects passed to the template engine. This could lead to unauthorized disclosure of information within the application context. There is no indication of privilege escalation or remote code execution. No known exploits in the wild have been reported.
Mitigation Recommendations
Upgrade affected php-twig packages to version 3.26.0 or later where the vulnerability is fixed. Since this is a code-level vulnerability in the Twig template engine, patching to the fixed version is the recommended remediation. Patch status is confirmed fixed in 3.26.0. No other mitigations are indicated.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- UBUNTU-CVE-2026-46639
- Osv Schema Version
- 1.7.0
- Aliases
- []
- Ecosystems
- ["Ubuntu:Pro:20.04:LTS","Ubuntu:Pro:22.04:LTS","Ubuntu:Pro:24.04:LTS","Ubuntu:25.10","Ubuntu:Pro:26.04:LTS"]
- Database Specific Severity
- null
- Cvss Version
- 4.0
Threat ID: 6a58b4a068715ace43da8d35
Added to database: 07/16/2026, 10:38:24 UTC
Last enriched: 07/16/2026, 12:29:47 UTC
Last updated: 07/16/2026, 12:29:47 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.