# [CRIT] [GHSA / CRITICAL] CVE-2026-46633: Twig: PHP code injection via `{% use %}` template name **Source:** GitHub Security Advisories **Published:** 2026-05-21 **Article:** https://github.com/advisories/GHSA-7p85-w9px-jpjp ## Threat Profile Twig: PHP code injection via `{% use %}` template name ### Description `Compiler::string()` escapes `"`, `$`, `\`, NUL and TAB when generating PHP double-quoted string literals, but does not escape single quotes. In `ModuleNode::compileConstructor()`, the template name from a `{% use %}` tag is compiled via `subcompile()` -> `string()` and placed inside a surrounding PHP single-quoted string literal. A template name containing a single quote terminates that surrounding string early, allowing a… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-46633` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Vulnerable Twig package (CVE-2026-46633) installed (twig/twig < 3.26.0) `UC_225_1` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=t count, min(_time) as firstTime, max(_time) as lastTime from datamodel=Vulnerabilities where (Vulnerabilities.cve="CVE-2026-46633" OR (Vulnerabilities.signature="twig/twig" OR Vulnerabilities.signature="composer:twig/twig" OR Vulnerabilities.signature="twig")) by Vulnerabilities.dest, Vulnerabilities.dest_category, Vulnerabilities.signature, Vulnerabilities.cve, Vulnerabilities.severity, Vulnerabilities.cvss | `drop_dm_object_name(Vulnerabilities)` | where isnotnull(dest) | convert ctime(firstTime) ctime(lastTime) | sort - cvss ``` **Defender KQL:** ```kql // CVE-2026-46633 — Twig {% use %} PHP code injection (vuln < 3.26.0) DeviceTvmSoftwareVulnerabilities | where CveId == "CVE-2026-46633" or (SoftwareName has "twig" and SoftwareVendor has "twig") | join kind=leftouter ( DeviceTvmSoftwareInventory | where SoftwareName has "twig" and SoftwareVendor has "twig" | project DeviceId, InstalledVersion = SoftwareVersion ) on DeviceId | project Timestamp, DeviceName, OSPlatform, OSVersion, SoftwareVendor, SoftwareName, SoftwareVersion, InstalledVersion, CveId, VulnerabilitySeverityLevel, RecommendedSecurityUpdate, RecommendedSecurityUpdateId | order by VulnerabilitySeverityLevel desc, DeviceName asc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-46633` ## Why this matters Severity classified as **CRIT** based on: CVE present, 2 use case(s) fired, 1 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.