Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Debian DSA |
DSA-6311-1 | php-twig security update |
Debian DSA |
DSA-6320-1 | php-twig security update |
Github GHSA |
GHSA-jv8m-2544-3pg3 | Twig: HTML-output filters in twig/* extras incorrectly declared `is_safe => ['all']` |
Thu, 16 Jul 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Tue, 14 Jul 2026 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Twig is a template language for PHP. Prior to 3.26.0, several filters in twig/markdown-extra and twig/cssinliner-extra are registered with is_safe => [all], causing Twig to treat plain text or HTML output as safe in HTML, JavaScript, CSS, URL, and other contexts where the output is not properly escaped. This issue is fixed in version 3.26.0. | |
| Title | Twig: HTML-output filters in twig/* extras incorrectly declared `is_safe => ['all']` | |
| Weaknesses | CWE-116 | |
| References |
| |
| Metrics |
cvssV4_0
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-16T15:05:57.087Z
Reserved: 2026-05-15T20:11:54.584Z
Link: CVE-2026-46637
Updated: 2026-07-16T15:05:52.849Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-16T01:45:04Z
Debian DSA
Github GHSA