logo

Database

OS Command Injection In twig/twig

Description

Twig: The spaceless filter implicitly marks its output as safe

Description

The spaceless filter is registered with is_safe => ['html'], which means Twig's autoescaper does not escape its output in an HTML context. As a result, applying spaceless to attacker-controlled input that contains markup emits the markup unescaped even when the developer never wrote |raw and autoescape is enabled.

Example:

{% set payload = '<script>alert()</script>' %}
{{ payload }}          {# escaped #}
{{ payload|spaceless }} {# not escaped #}

The filter is deprecated but still functional. With the deprecation, some downstream projects (e.g. Drupal modules) have duplicated the filter and inherited the same is_safe flag.

Resolution

The spaceless filter no longer marks its output as safe. Documentation has been updated to warn that spaceless should not be applied to unsanitised user input.

Credits

Twig would like to thank Pierre Rudloff for reporting the issue.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-466282. NVD-2026-466283. OSV-2026-466284. GHSA-4j38-f5cw-54h75. GCVE-2026-46628

References

1. https://github.com/twigphp/Twig/security/advisories/GHSA-4j38-f5cw-54h72. https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2026-46628.yaml3. https://symfony.com/cve-2026-46628

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.