CVE-2026-46637
MEDIUM
5.1
CVSS 4.0
Description
Twig is a template language for PHP. Prior to 3.26.0, several filters in twig/markdown-extra and twig/cssinliner-extra are registered with is_safe => [all], causing Twig to treat plain text or HTML output as safe in HTML, JavaScript, CSS, URL, and other contexts where the output is not properly escaped. This issue is fixed in version 3.26.0.
Metadata
Severity & Metrics
5.1
MEDIUM CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Affected products (3)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| twig | cssinliner-extra | — | < 3.26.0 |
| twig | markdown-extra | — | < 3.26.0 |
| twigphp | Twig | — | < 3.26.0 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-116 | cna | CWE-116: Improper Encoding or Escaping of Output |
CVSS scores (1)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 5.1 | MEDIUM | 4.0 | cna | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
References (4)
- https://github.com/twigphp/Twig/security/advisories/GHSA-jv8m-2544-3pg3 https://github.com/twigphp/Twig/security/advisories/GHSA-jv8m-2544-3pg3
- https://github.com/twigphp/Twig/commit/84982072c79a7417b0d158a401d91344f3658299 https://github.com/twigphp/Twig/commit/84982072c79a7417b0d158a401d91344f3658299
- https://github.com/twigphp/Twig/commit/e36489d3521ecbfc08bdcc61294302557035f14a https://github.com/twigphp/Twig/commit/e36489d3521ecbfc08bdcc61294302557035f14a
- https://github.com/twigphp/Twig/releases/tag/v3.26.0 https://github.com/twigphp/Twig/releases/tag/v3.26.0