CVE-2026-46639: CWE-693: Protection Mechanism Failure in twigphp Twig
Twig versions from 3.24.0 up to but not including 3.26.0 contain a vulnerability where object-destructuring assignment compiles CoreExtension::getAttribute() with the sandbox argument hardcoded to…
Read the full articleYou might also wanna read
Twig Template Engine Vulnerability Allows Sandbox Policy Bypass
A critical vulnerability in Twig versions 3.9.0 through 3.25.0 allows sandboxed templates to bypass security policy enforcement.
Critical PHP Injection Vulnerability Patched in Twig Template Engine
A critical vulnerability in Twig versions prior to 3.26.0 allows attackers to inject arbitrary PHP code via crafted template names in {% use

WAF - WAF Release - 2025-10-13
This week’s highlights include a new JinJava rule targeting a sandbox-bypass flaw that could allow malicious template input to escape execut

WAF - WAF Release - 2026-04-07
This week's release introduces new detections for a critical Remote Code Execution (RCE) vulnerability in MCP Server (CVE-2026-23744), along

Don't Panic: The Thymeleaf Template Injection That Only Hurts If You Let It (CVE-2026-40478)
CVE-2026-40478: The Thymeleaf template injection (CVSS 9.1) is conditional. Patch to 3.1.4+ immediately, and audit your code for dynamic vie

Comments
Sign in to join the conversation.
No comments yet. Be the first.