CVE-2026-46628
Twig: The `spaceless` filter implicitly marks its output as safe
Description
### Description The `spaceless` filter is registered with `is_safe => ['html']`, which means Twig's autoescaper does not escape its output in an HTML context. As a result, applying `spaceless` to attacker-controlled input that contains markup emits the markup unescaped even when the developer never wrote `|raw` and autoescape is enabled. Example: ```twig {% set payload = '<script>alert()</script>' %} {{ payload }} {# escaped #} {{ payload|spaceless }} {# not escaped #} ``` The filter is deprecated but still functional. With the deprecation, some downstream projects (e.g. Drupal modules) have duplicated the filter and inherited the same `is_safe` flag. ### Resolution The `spaceless` filter no longer marks its output as safe. Documentation has been updated to warn that `spaceless` should not be applied to unsanitised user input. ### Credits Twig would like to thank Pierre Rudloff for reporting the issue.
How to fix CVE-2026-46628
To remediate CVE-2026-46628, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 3.26.0 or later
Is CVE-2026-46628 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-46628.
Affected packages (2)
- from 0
- from 0, < 3.26.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U |