Description
Twig is a template language for PHP. Prior to 3.26.0, twig/intl-extra memoises IntlDateFormatter and NumberFormatter instances in arrays keyed by template-controlled filter arguments such as locale, pattern, and attrs, allowing a template to allocate many ICU formatter objects that remain pinned for the lifetime of the Twig\Environment. This issue is fixed in version 3.26.0.
Analysis and contextual insights are available on OpenCVE Cloud.
Remediation
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
Debian DSA |
DSA-6311-1 | php-twig security update |
Debian DSA |
DSA-6320-1 | php-twig security update |
Github GHSA |
GHSA-35wc-cvqg-78fp | twig/intl-extra: Unbounded formatter memoisation in keyed on template-controlled arguments |
References
History
Tue, 14 Jul 2026 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Twig is a template language for PHP. Prior to 3.26.0, twig/intl-extra memoises IntlDateFormatter and NumberFormatter instances in arrays keyed by template-controlled filter arguments such as locale, pattern, and attrs, allowing a template to allocate many ICU formatter objects that remain pinned for the lifetime of the Twig\Environment. This issue is fixed in version 3.26.0. | |
| Title | Twig: Unbounded formatter memoisation in twig/intl-extra keyed on template-controlled arguments | |
| Weaknesses | CWE-770 | |
| References |
| |
| Metrics |
cvssV4_0
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-14T21:22:15.595Z
Reserved: 2026-05-15T19:34:14.013Z
Link: CVE-2026-46629
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses
Debian DSA
Github GHSA