CVE-2026-46637: Twig: HTML-output filters in twig/* extras incorrectly declared `is_safe => ['all']`
Several filters in the twig/* extras packages are registered with is_safe => ['all'], which tells Twig’s autoescaper to treat their output as safe in every context (html, js, css, url, …). The output of these filters is plain text or HTML markup, neither of which is safe in every escaping context.
Affected filters:
html_to_markdown(twig/markdown-extra) emits plain Markdown text.league/html-to-markdowndecodes HTML entities when producing code spans and fenced blocks, so an attacker-controlled<code><img src=x onerror=alert(1)></code>becomes`<img src=x onerror=alert(1)>`, which renders live when interpolated into an HTML page.markdown_to_html(twig/markdown-extra) emits HTML. Safe in an HTML context but not in JS, CSS or URL contexts (e.g. when interpolated into an inline<script>block).inline_css(twig/cssinliner-extra) emits HTML with inlined styles. Same constraint asmarkdown_to_html.
In all three cases, is_safe => ['all'] causes the autoescaper to emit the output verbatim in any context, even when the developer never wrote |raw. In a context such as a JS string or a URL parameter, this produces unescaped HTML and is exploitable as XSS.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/twig/cssinliner-extra/CVE-2026-46637.yaml
- github.com/FriendsOfPHP/security-advisories/blob/master/twig/markdown-extra/CVE-2026-46637.yaml
- github.com/advisories/GHSA-jv8m-2544-3pg3
- github.com/twigphp/Twig/security/advisories/GHSA-jv8m-2544-3pg3
- nvd.nist.gov/vuln/detail/CVE-2026-46637
- symfony.com/cve-2026-46637
Code Behaviors & Features
Detect and mitigate CVE-2026-46637 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →