Back to overview

CVE-2026-46637

MEDIUM
5.1
CVSS 4.0
Description
Twig is a template language for PHP. Prior to 3.26.0, several filters in twig/markdown-extra and twig/cssinliner-extra are registered with is_safe => [all], causing Twig to treat plain text or HTML output as safe in HTML, JavaScript, CSS, URL, and other contexts where the output is not properly escaped. This issue is fixed in version 3.26.0.

Metadata

CVE ID
CVE-2026-46637
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-05-15 20:11 UTC
Published
2026-07-14 21:25 UTC
Last updated
2026-07-14 21:25 UTC
Primary CWE
CWE-116
CWE-116: Improper Encoding or Escaping of Output
Vendor / Product
twigphp / Twig
Sources
cve.org  ·  NVD

Severity & Metrics

5.1 MEDIUM CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Affected products (3)
VendorProductPlatformVersions
twig cssinliner-extra < 3.26.0
twig markdown-extra < 3.26.0
twigphp Twig < 3.26.0
Weakness (CWE)
CWESourceDescription
CWE-116 cna CWE-116: Improper Encoding or Escaping of Output
CVSS scores (1)
ScoreSeverityVersionSourceVector
5.1 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
References (4)
Back to overview