CVE-2026-46628 in Twiginfo

Summary

by MITRE • 07/15/2026

Twig is a template language for PHP. Prior to 3.26.0, the deprecated spaceless filter is registered as safe for HTML, causing Twig autoescaping to emit attacker-controlled markup unescaped when spaceless is applied to untrusted input. This issue is fixed in version 3.26.0.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/15/2026

The vulnerability in Twig template engine affects versions prior to 3.26.0 where the deprecated spaceless filter was incorrectly registered as safe for HTML output. This misconfiguration creates a critical security flaw that undermines the template engine's autoescaping mechanism, which is designed to prevent cross-site scripting attacks by sanitizing potentially malicious input before rendering. The spaceless filter was originally intended to remove unnecessary whitespace from HTML output but was mistakenly marked as safe for HTML content in the security context.

When an attacker provides untrusted input to a template that uses the spaceless filter, the autoescaping system fails to properly sanitize the content because it incorrectly assumes that the spaceless filter will handle all security concerns. This allows malicious markup to be rendered directly into the output without proper escaping, potentially enabling attackers to inject scripts or other harmful content that would normally be neutralized by the autoescaping protection.

The operational impact of this vulnerability extends beyond simple XSS attacks as it represents a fundamental breakdown in the template engine's security model. Attackers can exploit this flaw to bypass security controls that are critical for protecting web applications from code injection attacks, particularly when the spaceless filter is applied to user-controlled data. This issue specifically relates to CWE-79 which addresses cross-site scripting vulnerabilities and also aligns with ATT&CK technique T1203 which involves exploitation of application vulnerabilities.

The fix implemented in version 3.26.0 properly re-evaluates the security context of the spaceless filter, ensuring that it no longer incorrectly assumes safe HTML output status. This correction restores the proper autoescaping behavior where untrusted input is always sanitized regardless of filter usage. Organizations should immediately upgrade to Twig version 3.26.0 or later to remediate this vulnerability, as the issue affects all applications using affected versions of the template engine. The mitigation strategy centers on updating the library and conducting security reviews of existing templates that may be utilizing the spaceless filter with untrusted input sources.

Responsible

GitHub M

Reservation

05/15/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!