The obj.(expr) dynamic-attribute syntax (added in 3.15.0 as the replacement for the deprecated attribute() function) lets the attribute be an arbitrary expression. When the receiver is _self (or any {% import %} alias) and the parenthesised expression is a string literal, DotExpressionParser short-circuits to the macro-call path and concatenates the attacker-controlled string into a MacroReferenceExpression name with no identifier validation. MacroReferenceExpression::compile() then emits that name raw into the generated PHP source.
An attacker who can supply template source can inject arbitrary PHP into the compiled template and execute it at template-load time, before checkSecurity() is ever called. This is a complete bypass of SandboxExtension, including a globally-enabled sandbox with an empty SecurityPolicy allowlist.
The parser now validates that the dynamic attribute resolves to a valid macro identifier before routing through MacroReferenceExpression, and the macro-reference compiler emits the name through a properly escaped path.
Twig would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
No EPSS score in this advisory JSON.
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 8.7 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-45vw-wh46-2vx8 ↗ |
| CVE | CVE-2026-46640 ↗ |
| CWE id | Name |
|---|---|
| CWE-94 | Improper Control of Generation of Code ('Code Injection') |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| composer | twig/twig | >= 3.15.0, < 3.26.0 | 3.26.0 | — |