PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-47730 twigphp CVE debrief

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T22:16:59.530Z and has not been modified since then. This vulnerability affects Twig versions between 3.0.0 and 3.26.0, allowing attacker-controlled template or profile names to inject arbitrary HTML. The issue is fixed in version 3.26.0. Developers and administrators should review and apply the patch to prevent potential XSS attacks.

Vendor
twigphp
Product
Twig
CVSS
MEDIUM 5.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-14
Original CVE updated
2026-07-16
Advisory published
2026-07-14
Advisory updated
2026-07-16

Who should care

Developers and administrators using Twig versions between 3.0.0 and 3.26.0 should review and apply the patch to prevent potential XSS attacks. Affected operators and platforms include those using Twig for templating, and security teams should prioritize patching and review compensating controls for exposed systems.

Technical summary

Twig's HTML profiler dump feature writes Profile::getTemplate() and Profile::getName() into HTML output without escaping, allowing attacker-controlled template or profile names to inject arbitrary HTML. This issue is fixed in version 3.26.0. The vulnerability requires a low-privileged user to inject malicious template or profile names, and its impact is limited to the profiler dump feature. Affected systems include those using Twig for templating between versions 3.0.0 and 3.26.0. Developers and administrators should review and apply the patch to prevent potential XSS attacks, focusing on validating user-controlled input for template and profile names, and implementing additional security measures such as output encoding and Content Security Policy (CSP). Evidence from the CVE record and NVD detail supports this guidance, emphasizing the need for careful patch application and compensating controls for exposed systems.

Defensive priority

Medium priority, as the vulnerability requires a low-privileged user to inject malicious template or profile names.

Recommended defensive actions

  • Review and apply the patch by upgrading to Twig version 3.26.0 or later
  • Verify and validate user-controlled input for template and profile names
  • Implement additional security measures, such as output encoding and Content Security Policy (CSP)
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record and NVD detail provide information on the vulnerability, its impact, and the fixed version. The vendor advisory and patch information are available on the Twig GitHub repository. Evidence limits suggest that further verification is required to confirm affected scope and severity. Defenders should verify the patch application and review compensating controls for exposed systems.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T22:16:59.530Z and has not been modified since then.