Twig is a template language for PHP. Prior to 3.26.0, several filters in twig/markdown-extra and twig/cssinliner-extra are registered with is_safe => [all], causing Twig to treat plain text or HTML output as safe in HTML, JavaScript, CSS, URL, and other contexts where the output is not properly escaped. This issue is fixed in version 3.26.0.
Project Subscriptions
No data.
Advisories
| Source | ID | Title |
|---|---|---|
Debian DSA |
DSA-6311-1 | php-twig security update |
Debian DSA |
DSA-6320-1 | php-twig security update |
Github GHSA |
GHSA-jv8m-2544-3pg3 | Twig: HTML-output filters in twig/* extras incorrectly declared `is_safe => ['all']` |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Tue, 14 Jul 2026 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Twig is a template language for PHP. Prior to 3.26.0, several filters in twig/markdown-extra and twig/cssinliner-extra are registered with is_safe => [all], causing Twig to treat plain text or HTML output as safe in HTML, JavaScript, CSS, URL, and other contexts where the output is not properly escaped. This issue is fixed in version 3.26.0. | |
| Title | Twig: HTML-output filters in twig/* extras incorrectly declared `is_safe => ['all']` | |
| Weaknesses | CWE-116 | |
| References |
| |
| Metrics |
cvssV4_0
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-14T21:25:20.141Z
Reserved: 2026-05-15T20:11:54.584Z
Link: CVE-2026-46637
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses
Debian DSA
Github GHSA