CVE-2026-46637info

Summary

by MITRE • 07/15/2026

Twig is a template language for PHP. Prior to 3.26.0, several filters in twig/markdown-extra and twig/cssinliner-extra are registered with is_safe => [all], causing Twig to treat plain text or HTML output as safe in HTML, JavaScript, CSS, URL, and other contexts where the output is not properly escaped. This issue is fixed in version 3.26.0.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/15/2026

This vulnerability affects the Twig template engine for PHP and represents a critical security flaw in how template filters handle output escaping. The issue stems from improper security context handling within the markdown-extra and cssinliner-extra packages where multiple filters are registered with the is_safe => [all] configuration. This registration instructs Twig that the filter outputs can be safely used in all contexts without additional escaping, which creates a dangerous situation for developers who rely on these components.

The technical flaw manifests when template developers use these vulnerable filters in their applications without implementing proper output escaping mechanisms. When Twig processes templates containing these unsafe filters, it treats the rendered output as inherently safe across multiple execution contexts including HTML, JavaScript, CSS, and URL contexts. This misconfiguration allows attackers to inject malicious content that would normally be escaped or sanitized by Twig's security mechanisms.

The operational impact of this vulnerability extends beyond simple cross-site scripting attacks to encompass a broader range of injection flaws. Attackers can exploit this weakness to inject malicious JavaScript code into HTML documents, manipulate CSS stylesheets to perform unauthorized actions, or craft malicious URLs that could lead to phishing attacks. The vulnerability essentially bypasses Twig's built-in security protections by incorrectly marking template outputs as safe when they should undergo proper escaping based on their intended context. This creates a persistent risk for applications using affected versions of the twig packages.

The fix implemented in version 3.26.0 addresses this by correcting the filter registrations to properly specify which contexts are actually safe for the output, thereby restoring the expected security boundaries within the Twig template engine. Organizations should immediately upgrade to version 3.26.0 or later to mitigate this risk. The vulnerability aligns with CWE-79 (Cross-site Scripting) and CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page) categories, and can be categorized under ATT&CK technique T1203 (Exploitation for Client Execution) when used to deliver malicious payloads through web applications. Security teams should conduct thorough code reviews to identify any custom filters that might have similar misconfigurations and ensure proper context-aware output escaping is implemented throughout their template processing pipelines.

Disclosure

07/15/2026

Moderation

in review

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!