CVE-2026-46629

Severity CVSS v4.0:
MEDIUM
Type:
Unavailable / Other
Publication date:
14/07/2026
Last modified:
16/07/2026

Description

Twig is a template language for PHP. Prior to 3.26.0, twig/intl-extra memoises IntlDateFormatter and NumberFormatter instances in arrays keyed by template-controlled filter arguments such as locale, pattern, and attrs, allowing a template to allocate many ICU formatter objects that remain pinned for the lifetime of the Twig\Environment. This issue is fixed in version 3.26.0.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:symfony:twig:*:*:*:*:*:*:*:* 3.26.0 (excluding)