PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46628 twigphp CVE debrief

The CVE-2026-46628 record describes a security vulnerability in the Twig template language for PHP, specifically in the deprecated spaceless filter prior to version 3.26.0. This filter is registered as safe for HTML, causing Twig autoescaping to emit attacker-controlled markup unescaped when spaceless is applied to untrusted input. The vulnerability allows attackers to inject malicious HTML code. The issue is fixed in version 3.26.0. Developers and administrators using Twig template language for PHP, especially those who handle user-input data, should be aware of this security vulnerability and take necessary precautions.

Vendor
twigphp
Product
Twig
CVSS
MEDIUM 5.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-14
Original CVE updated
2026-07-16
Advisory published
2026-07-14
Advisory updated
2026-07-16

Who should care

Developers and administrators using Twig template language for PHP, especially those who handle user-input data, should be aware of this security vulnerability. They should review their usage of the spaceless filter and update to version 3.26.0 or later to prevent potential attacks. Additionally, security teams and vulnerability management teams should be aware of this vulnerability and track its exposure in their environments.

Technical summary

The deprecated spaceless filter in Twig template language for PHP, prior to version 3.26.0, is registered as safe for HTML. This causes Twig autoescaping to emit attacker-controlled markup unescaped when spaceless is applied to untrusted input, allowing attackers to inject malicious HTML code. The vulnerability requires specific conditions to be exploited, but can have significant impact if exploited. Users should update to version 3.26.0 or later and review their usage of the spaceless filter.

Defensive priority

Medium priority, as the vulnerability requires specific conditions to be exploited, but can have significant impact if exploited.

Recommended defensive actions

  • Update Twig to version 3.26.0 or later
  • Review and validate user-input data
  • Implement additional security measures, such as input validation and output encoding
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record and NVD detail provide information on the vulnerability, its impact, and the fixed version. The vendor advisory and patch information are available through the provided resource links. Evidence limits suggest that additional information may exist but is not currently publicly available. Defenders should verify the affected scope, severity, and vendor guidance with the official advisory. Limited source detail is provided, and users should review the CVE record and NVD detail for further information.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T22:16:54.853Z and has not been modified since then.