Twig CVE-2026-46628
LOW
GHSA-4j38-f5cw-54h7
Lifecycle Timeline
2DescriptionNVD
Description
The spaceless filter is registered with is_safe => ['html'], which means Twig's autoescaper does not escape its output in an HTML context. As a result, applying spaceless to attacker-controlled input that contains markup emits the markup unescaped even when the developer never wrote |raw and autoescape is enabled.
Example:
{% set payload = '<script>alert()</script>' %}
{{ payload }} {
# escaped #}
{{ payload|spaceless }} {
# not escaped #}The filter is deprecated but still functional. With the deprecation, some downstream projects (e.g. Drupal modules) have duplicated the filter and inherited the same is_safe flag.
Resolution
The spaceless filter no longer marks its output as safe. Documentation has been updated to warn that spaceless should not be applied to unsanitised user input.
Credits
Twig would like to thank Pierre Rudloff for reporting the issue.
AnalysisAI
Cross-site scripting in Twig's PHP templating engine allows attacker-controlled HTML markup to bypass autoescaping when rendered through the |spaceless filter. The filter was incorrectly registered with is_safe => ['html'], signaling to the autoescaper that its output is already safe and requires no HTML encoding - even when the input is user-supplied and autoescape is globally enabled. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today