CVE-2026-46628

Severity CVSS v4.0:
MEDIUM
Type:
Unavailable / Other
Publication date:
14/07/2026
Last modified:
16/07/2026

Description

Twig is a template language for PHP. Prior to 3.26.0, the deprecated spaceless filter is registered as safe for HTML, causing Twig autoescaping to emit attacker-controlled markup unescaped when spaceless is applied to untrusted input. This issue is fixed in version 3.26.0.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:symfony:twig:*:*:*:*:*:*:*:* 3.26.0 (excluding)