`template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name

PKSA-21g2-dzjv-sky5 CVE-2026-46634

Affected package: twig/twig

Affected version: >=3.9.0,<3.26.0

Reported by:
FriendsOfPHP/security-advisories