Dual Sandbox Bypasses Threaten PHP Applications

Maintainers of the Twig PHP template engine released urgent updates fixing two critical RCE vulnerabilities—CVE-2026-46640 (macro compilation flaw allowing sandbox escape via the obj.(expr) dynamic-attribute syntax when receiver is _self and the expression is a string literal) and CVE-2026-46633 (failure to escape single quotes in compiled template names used in {% use %} tags)—which permit unauthenticated arbitrary PHP execution; upgrade to Twig 3.26.0 immediately as versions below 3.26.0 are vulnerable.