PatchSiren cyber security CVE debrief
CVE-2026-46628 twigphp CVE debrief
The CVE-2026-46628 record describes a security vulnerability in the Twig template language for PHP, specifically in the deprecated spaceless filter prior to version 3.26.0. This filter is registered as safe for HTML, causing Twig autoescaping to emit attacker-controlled markup unescaped when spaceless is applied to untrusted input. The vulnerability allows attackers to inject malicious HTML code. The issue is fixed in version 3.26.0. Developers and administrators using Twig template language for PHP, especially those who handle user-input data, should be aware of this security vulnerability and take necessary precautions.
- Vendor
- twigphp
- Product
- Twig
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-14
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-14
- Advisory updated
- 2026-07-16
Who should care
Developers and administrators using Twig template language for PHP, especially those who handle user-input data, should be aware of this security vulnerability. They should review their usage of the spaceless filter and update to version 3.26.0 or later to prevent potential attacks. Additionally, security teams and vulnerability management teams should be aware of this vulnerability and track its exposure in their environments.
Technical summary
The deprecated spaceless filter in Twig template language for PHP, prior to version 3.26.0, is registered as safe for HTML. This causes Twig autoescaping to emit attacker-controlled markup unescaped when spaceless is applied to untrusted input, allowing attackers to inject malicious HTML code. The vulnerability requires specific conditions to be exploited, but can have significant impact if exploited. Users should update to version 3.26.0 or later and review their usage of the spaceless filter.
Defensive priority
Medium priority, as the vulnerability requires specific conditions to be exploited, but can have significant impact if exploited.
Recommended defensive actions
- Update Twig to version 3.26.0 or later
- Review and validate user-input data
- Implement additional security measures, such as input validation and output encoding
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record and NVD detail provide information on the vulnerability, its impact, and the fixed version. The vendor advisory and patch information are available through the provided resource links. Evidence limits suggest that additional information may exist but is not currently publicly available. Defenders should verify the affected scope, severity, and vendor guidance with the official advisory. Limited source detail is provided, and users should review the CVE record and NVD detail for further information.
Official resources
-
CVE-2026-46628 CVE record
CVE.org
-
CVE-2026-46628 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T22:16:54.853Z and has not been modified since then.