CVE-2026-46640 - Twig: Arbitrary PHP code execution via `_self.(<string>)` macro-reference compilation
CVE ID :CVE-2026-46640 Published : July 14, 2026, 10:16 p.m. | 17 minutes ago Description :Twig is a template language for PHP. From 3.15.0 until 3.26.0, _self.() and import-alias dynamic attribute syntax can concatenate an attacker-controlled string into a MacroReferenceExpression name...