CVE-2026-47730

Description

### Description `Twig\Profiler\Dumper\HtmlDumper` writes `Profile::getTemplate()` and `Profile::getName()` straight into its HTML output without escaping: ```php protected function formatTemplate(Profile $profile, $prefix): string { return \sprintf('%s└ <span style="background-color: %s">%s</span>', $prefix, self::$colors['template'], $profile->getTemplate()); } ``` The template name comes from the loader (the array key for `ArrayLoader`, a row id for a database-backed loader, etc.). When that name is attacker-controlled, the profiler dump emits arbitrary HTML, and any browser that renders it executes the injected markup. This is an output-encoding bug in profiler/debug tooling, not a sandbox escape. ### Resolution `HtmlDumper` now runs both `Profile::getTemplate()` and `Profile::getName()` through `htmlspecialchars()` before inserting them into the HTML output. ### Credits Twig would like to thank El Kharoubi Iosif for reporting the issue and Nicolas Grekas for fixing it.

How to fix CVE-2026-47730

To remediate CVE-2026-47730, upgrade the affected package to a fixed version below.

• —no fix listed
• —upgrade to 3.26.0 or later

Is CVE-2026-47730 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-47730.

Affected packages (2)

• from 0
• >= 3.0.0, < 3.26.0

References (6)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-47730
• PATCHgithub.com/twigphp/Twig
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2026-47730.yaml
• WEBgithub.com/twigphp/Twig/releases/tag/v3.26.0