๐Ÿ” CVE Alert

CVE-2026-46628

UNKNOWN 0.0

Twig: The `spaceless` filter implicitly marks its output as safe

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Twig is a template language for PHP. Prior to 3.26.0, the deprecated spaceless filter is registered as safe for HTML, causing Twig autoescaping to emit attacker-controlled markup unescaped when spaceless is applied to untrusted input. This issue is fixed in version 3.26.0.

CWE CWE-116
Vendor twigphp
Product twig
Published Jul 14, 2026
Last Updated Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for twigphp twig

Be the first to know when new unknown vulnerabilities affecting twigphp twig are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

twigphp / Twig
< 3.26.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/twigphp/Twig/security/advisories/GHSA-4j38-f5cw-54h7 github.com: https://github.com/twigphp/Twig/commit/3190b9ae12614dfd58cc5d8f394bac4708b17913 github.com: https://github.com/twigphp/Twig/releases/tag/v3.26.0