HTML Injection Vulnerability in Twig Template Engine by Twig
CVE-2026-47730
5.1MEDIUM
What is CVE-2026-47730?
A vulnerability in the Twig template engine allows unescaped output of template or profile names in its HTML profiler dump. This flaw, present in versions 3.0.0 through 3.26.0, can lead to the injection of arbitrary HTML when a user’s browser renders the profiler output. Attackers could exploit this vulnerability to manipulate the rendered output, posing a significant risk to web applications utilizing this template engine. The issue has been addressed in Twig version 3.26.0.
Affected Version(s)
Twig >= 3.0.0, < 3.26.0
