GHSA-7p85-w9px-jpjp: Twig: PHP code injection via `{% use %}` template name
criticalvulnerability
security
Summary
Twig (a PHP template engine) has a vulnerability where template names in `{% use %}` tags aren't properly escaped, allowing attackers to inject arbitrary PHP code that executes when the template cache loads. This bypasses Twig's security sandbox, giving attackers remote code execution (the ability to run commands on the server).
Solution / Mitigation
`Compiler::string()` now escapes single quotes in addition to the characters it previously escaped, preventing template names from breaking out of the surrounding PHP string context.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Patch Available
Yes
Disclosure Date
May 21, 2026
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
integrityconfidentiality
Affected Vendors
LangChain
Affected Packages
twig/twig@< 3.26.0 (fixed: 3.26.0)
Related Issues
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-7p85-w9px-jpjp
First tracked: May 21, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 75%