CVE-2026-46628
Twig: The `spaceless` filter implicitly marks its output as safe
Description
### Description The `spaceless` filter is registered with `is_safe => ['html']`, which means Twig's autoescaper does not escape its output in an HTML context. As a result, applying `spaceless` to attacker-controlled input that contains markup emits the markup unescaped even when the developer never wrote `|raw` and autoescape is enabled. Example: ```twig {% set payload = '<script>alert()</script>' %} {{ payload }} {# escaped #} {{ payload|spaceless }} {# not escaped #} ``` The filter is deprecated but still functional. With the deprecation, some downstream projects (e.g. Drupal modules) have duplicated the filter and inherited the same `is_safe` flag. ### Resolution The `spaceless` filter no longer marks its output as safe. Documentation has been updated to warn that `spaceless` should not be applied to unsanitised user input. ### Credits Twig would like to thank Pierre Rudloff for reporting the issue.
Affected packages (2)
- Debian/php-twigfrom 0
- Packagist/twig/twigfrom 0, < 3.26.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U |
References (5)
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-46628
- PATCHhttps://github.com/twigphp/Twig
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2026-46628.yaml
- WEBhttps://github.com/twigphp/Twig/security/advisories/GHSA-4j38-f5cw-54h7
- WEBhttps://symfony.com/cve-2026-46628