Template Injection Vulnerability in Twig PHP Library
CVE-2026-46628

5.1MEDIUM

Key Information:

Vendor

TwigPHP

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-46628?

The Twig template engine for PHP contains a vulnerability in versions before 3.26.0 related to the use of the deprecated 'spaceless' filter. This filter is incorrectly registered as safe for HTML, leading to a situation where the automatic escaping behavior is bypassed. As a result, an attacker can manipulate and inject unescaped markup into a web application, potentially compromising its security. This issue impacts the processing of untrusted input, making it essential for users to update to version 3.26.0 or later to mitigate these risks.

Affected Version(s)

Twig < 3.26.0

References

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.