Template Injection Vulnerability in Twig PHP Library
CVE-2026-46628
5.1MEDIUM
What is CVE-2026-46628?
The Twig template engine for PHP contains a vulnerability in versions before 3.26.0 related to the use of the deprecated 'spaceless' filter. This filter is incorrectly registered as safe for HTML, leading to a situation where the automatic escaping behavior is bypassed. As a result, an attacker can manipulate and inject unescaped markup into a web application, potentially compromising its security. This issue impacts the processing of untrusted input, making it essential for users to update to version 3.26.0 or later to mitigate these risks.
Affected Version(s)
Twig < 3.26.0
