GHSA-JV8M-2544-3PG3
Vulnerability from github – Published: 2026-05-21 21:27 – Updated: 2026-05-21 21:27Description
Several filters in the twig/* extras packages are registered with is_safe => ['all'], which tells Twig's autoescaper to treat their output as safe in every context (html, js, css, url, ...). The output of these filters is plain text or HTML markup, neither of which is safe in every escaping context.
Affected filters:
html_to_markdown(twig/markdown-extra) emits plain Markdown text.league/html-to-markdowndecodes HTML entities when producing code spans and fenced blocks, so an attacker-controlled<code><img src=x onerror=alert(1)></code>becomes`<img src=x onerror=alert(1)>`, which renders live when interpolated into an HTML page.markdown_to_html(twig/markdown-extra) emits HTML. Safe in an HTML context but not in JS, CSS or URL contexts (e.g. when interpolated into an inline<script>block).inline_css(twig/cssinliner-extra) emits HTML with inlined styles. Same constraint asmarkdown_to_html.
In all three cases, is_safe => ['all'] causes the autoescaper to emit the output verbatim in any context, even when the developer never wrote |raw. In a context such as a JS string or a URL parameter, this produces unescaped HTML and is exploitable as XSS.
Resolution
html_to_markdownno longer claims to be safe in any escaping context; its plain-text output is now autoescaped for the surrounding context.markdown_to_htmlandinline_cssare now declaredis_safe => ['html'], asserting only what they actually guarantee.
Credits
Twig would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix for html_to_markdown and markdown_to_html in twig/markdown-extra, and Christophe Coevoet for extending the audit to inline_css in twig/cssinliner-extra.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "twig/markdown-extra"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.26.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "twig/cssinliner-extra"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.26.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46637"
],
"database_specific": {
"cwe_ids": [
"CWE-116"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-21T21:27:20Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Description\n\nSeveral filters in the `twig/*` extras packages are registered with `is_safe =\u003e [\u0027all\u0027]`, which tells Twig\u0027s autoescaper to treat their output as safe in every context (`html`, `js`, `css`, `url`, ...). The output of these filters is plain text or HTML markup, neither of which is safe in every escaping context.\n\nAffected filters:\n\n- `html_to_markdown` (`twig/markdown-extra`) emits plain Markdown text. `league/html-to-markdown` decodes HTML entities when producing code spans and fenced blocks, so an attacker-controlled `\u003ccode\u003e\u0026lt;img src=x onerror=alert(1)\u0026gt;\u003c/code\u003e` becomes `` `\u003cimg src=x onerror=alert(1)\u003e` ``, which renders live when interpolated into an HTML page.\n- `markdown_to_html` (`twig/markdown-extra`) emits HTML. Safe in an HTML context but not in JS, CSS or URL contexts (e.g. when interpolated into an inline `\u003cscript\u003e` block).\n- `inline_css` (`twig/cssinliner-extra`) emits HTML with inlined styles. Same constraint as `markdown_to_html`.\n\nIn all three cases, `is_safe =\u003e [\u0027all\u0027]` causes the autoescaper to emit the output verbatim in any context, even when the developer never wrote `|raw`. In a context such as a JS string or a URL parameter, this produces unescaped HTML and is exploitable as XSS.\n\n### Resolution\n\n- `html_to_markdown` no longer claims to be safe in any escaping context; its plain-text output is now autoescaped for the surrounding context.\n- `markdown_to_html` and `inline_css` are now declared `is_safe =\u003e [\u0027html\u0027]`, asserting only what they actually guarantee.\n\n### Credits\n\nTwig would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix for `html_to_markdown` and `markdown_to_html` in `twig/markdown-extra`, and Christophe Coevoet for extending the audit to `inline_css` in `twig/cssinliner-extra`.",
"id": "GHSA-jv8m-2544-3pg3",
"modified": "2026-05-21T21:27:20Z",
"published": "2026-05-21T21:27:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-jv8m-2544-3pg3"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/cssinliner-extra/CVE-2026-46637.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/markdown-extra/CVE-2026-46637.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/twigphp/Twig"
},
{
"type": "WEB",
"url": "https://symfony.com/cve-2026-46637"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Twig: HTML-output filters in twig/* extras incorrectly declared `is_safe =\u003e [\u0027all\u0027]`"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.