Twig CVE-2026-46628
MEDIUMSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (https://github.com/twigphp/Twig) · only source for this CVE.
CVSS VectorVendor: https://github.com/twigphp/Twig
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Description
The spaceless filter is registered with is_safe => ['html'], which means Twig's autoescaper does not escape its output in an HTML context. As a result, applying spaceless to attacker-controlled input that contains markup emits the markup unescaped even when the developer never wrote |raw and autoescape is enabled.
Example:
{% set payload = '<script>alert()</script>' %}
{{ payload }} {
# escaped #}
{{ payload|spaceless }} {
# not escaped #}The filter is deprecated but still functional. With the deprecation, some downstream projects (e.g. Drupal modules) have duplicated the filter and inherited the same is_safe flag.
Resolution
The spaceless filter no longer marks its output as safe. Documentation has been updated to warn that spaceless should not be applied to unsanitised user input.
Credits
Twig would like to thank Pierre Rudloff for reporting the issue.
AnalysisAI
Cross-site scripting in Twig's PHP templating engine allows attacker-controlled HTML markup to bypass autoescaping when rendered through the |spaceless filter. The filter was incorrectly registered with is_safe => ['html'], signaling to the autoescaper that its output is already safe and requires no HTML encoding - even when the input is user-supplied and autoescape is globally enabled. All twig/twig Composer installations prior to 3.26.0 are affected, as are downstream packages (notably certain Drupal modules) that independently copied the spaceless filter and inherited the same erroneous flag. No public exploit or active exploitation is identified at time of analysis.
Technical ContextAI
Twig is a widely used PHP templating engine featuring a contextual autoescaping system. The autoescaper normally HTML-encodes all output variables in HTML contexts; however, filters and functions that declare is_safe => ['html'] are exempted because the engine treats their output as pre-sanitized. The spaceless filter - designed solely to strip whitespace between HTML tags - was registered with this flag, creating a mismatch: the filter performs no sanitization, yet it disables the downstream autoescaping that would have caught injected markup. This maps precisely to CWE-116 (Improper Encoding or Escaping of Output), where a processing step incorrectly signals output safety. The affected package is pkg:composer/twig_twig. Because spaceless was deprecated in recent Twig versions, several downstream consumers (including Drupal ecosystem modules) duplicated the filter implementation verbatim, inheriting the unsafe is_safe declaration into separately maintained codebases.
RemediationAI
Upgrade twig/twig to version 3.26.0 or later by running composer update twig/twig and verifying the installed version. Version 3.26.0 removes the is_safe => ['html'] declaration from the spaceless filter so its output is subject to normal autoescaping. For downstream packages such as Drupal modules that independently implement spaceless, audit each for the is_safe => ['html'] flag on that filter and remove it or apply an equivalent fix; these packages require independent patching and cannot be fixed solely by upgrading twig/twig. As a pre-patch workaround, replace any usage of {{ variable|spaceless }} with {{ variable|spaceless|e }} to force explicit escaping after the filter - this has no effect on whitespace stripping behavior but restores XSS protection. Alternatively, stop passing user-controlled input through |spaceless entirely, as the filter's sole purpose is whitespace removal and should never be applied to unsanitized data. Advisory references: https://github.com/twigphp/Twig/security/advisories/GHSA-4j38-f5cw-54h7 and https://symfony.com/cve-2026-46628.
Same weakness CWE-116 – Improper Encoding or Escaping of Output
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-4j38-f5cw-54h7