Main Vulnerability Database Vulnerabilities #VU132001

Improper Encoding or Escaping of Output in Twig - CVE-2026-46628

Published: May 20, 2026

Vulnerability identifier: #VU132001

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-46628

CWE-ID: CWE-116

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Symfony

Affected software:
Twig

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.

The vulnerability exists due to improper encoding or escaping of output in the `spaceless` filter when rendering attacker-controlled input in an HTML context. A remote attacker can supply crafted markup that is processed with the filter to execute arbitrary script in the victim's browser.

The issue occurs even when autoescaping is enabled and the developer does not explicitly use the `raw` filter.

How to mitigate CVE-2026-46628

Install security update from vendor's website.

Improper Encoding or Escaping of Output in Twig - CVE-2026-46628

Detailed vulnerability description

How to mitigate CVE-2026-46628

Sources

Please verify you're human