CVE-2026-46633

critical

Published 2026-05-20 · Modified 2026-05-21

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

9.5

Description

Twig: PHP code injection via `{% use %}` template name

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2026-46633 NameCVE-2026-46633 SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) ReferencesDSA-6311-1 Vulnerable and fixed packages The table below lists information on source packages. Source PackageReleaseVersionStatus php-twig (PTS)bullseye2.14.3-1+deb11u2vulnerable bullseye…

CVE-2026-46633

Name	CVE-2026-46633
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-6311-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
php-twig (PTS)	bullseye	2.14.3-1+deb11u2	vulnerable
	bullseye (security)	2.14.3-1+deb11u4	vulnerable
	bookworm, bookworm (security)	3.5.1-1+deb12u1	vulnerable
	trixie	3.20.0-2	vulnerable
	trixie (security)	3.27.0-0+deb13u1	fixed
	forky	3.27.0-1	fixed
	sid	3.27.1-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
php-twig	source	trixie	3.27.0-0+deb13u1		DSA-6311-1
php-twig	source	(unstable)	3.26.0-1

Notes

https://symfony.com/blog/cve-2026-46633-php-code-injection-via-use-template-name

Home - Debian Security - Source (Git)

Apply commands

text fix

Notes

https://symfony.com/blog/cve-2026-46633-php-code-injection-via-use-template-name

OS impact

Debian Mixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`3.27.0-0+deb13u1`
sid	Fixed	`3.26.0-1`
forky	Fixed	`3.26.0-1`
bullseye	Affected	—
bookworm	Fixed	`3.5.1-1+deb12u3`

Package impact

Ecosystem	Package	Vulnerable	Fixed
Packagist	twig/twig	`>=1.0.0,<2.0.0\|>=2.0.0,<3.0.0\|>=3.0.0,<3.26.0`
Packagist	twig/twig	`<3.26.0`	`3.26.0`
COMPOSER	twig/twig	`< 3.26.0`	`3.26.0`

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.