Arbitrary PHP code execution via `_self.(<string>)` macro-reference compilation

PKSA-5k7f-wvjj-jrgw CVE-2026-46640

Affected package: twig/twig

Affected version: >=3.15.0,<3.26.0

Reported by:
FriendsOfPHP/security-advisories