๐Ÿ” CVE Alert

CVE-2026-46637

UNKNOWN 0.0

Twig: HTML-output filters in twig/* extras incorrectly declared `is_safe => ['all']`

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Twig is a template language for PHP. Prior to 3.26.0, several filters in twig/markdown-extra and twig/cssinliner-extra are registered with is_safe => [all], causing Twig to treat plain text or HTML output as safe in HTML, JavaScript, CSS, URL, and other contexts where the output is not properly escaped. This issue is fixed in version 3.26.0.

CWE CWE-116
Vendor twigphp
Product twig
Published Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for twigphp twig

Be the first to know when new unknown vulnerabilities affecting twigphp twig are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

twigphp / Twig
< 3.26.0
twig / cssinliner-extra
< 3.26.0
twig / markdown-extra
< 3.26.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/twigphp/Twig/security/advisories/GHSA-jv8m-2544-3pg3 github.com: https://github.com/twigphp/Twig/commit/84982072c79a7417b0d158a401d91344f3658299 github.com: https://github.com/twigphp/Twig/commit/e36489d3521ecbfc08bdcc61294302557035f14a github.com: https://github.com/twigphp/Twig/releases/tag/v3.26.0