Twig: HTML-output filters in twig/* extras incorrectly declared `is_safe => ['all']`

CVE-2026-46637 View on GitHub ↗ View on CVE.org ↗ View on NVD ↗

Description

Description

Several filters in the twig/* extras packages are registered with is_safe => ['all'], which tells Twig's autoescaper to treat their output as safe in every context (html, js, css, url, ...). The output of these filters is plain text or HTML markup, neither of which is safe in every escaping context.

Affected filters:

  • html_to_markdown (twig/markdown-extra) emits plain Markdown text. league/html-to-markdown decodes HTML entities when producing code spans and fenced blocks, so an attacker-controlled <code><img src=x onerror=alert(1)></code> becomes `<img src=x onerror=alert(1)>`, which renders live when interpolated into an HTML page.
  • markdown_to_html (twig/markdown-extra) emits HTML. Safe in an HTML context but not in JS, CSS or URL contexts (e.g. when interpolated into an inline <script> block).
  • inline_css (twig/cssinliner-extra) emits HTML with inlined styles. Same constraint as markdown_to_html.

In all three cases, is_safe => ['all'] causes the autoescaper to emit the output verbatim in any context, even when the developer never wrote |raw. In a context such as a JS string or a URL parameter, this produces unescaped HTML and is exploitable as XSS.

Resolution

  • html_to_markdown no longer claims to be safe in any escaping context; its plain-text output is now autoescaped for the surrounding context.
  • markdown_to_html and inline_css are now declared is_safe => ['html'], asserting only what they actually guarantee.

Credits

Twig would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix for html_to_markdown and markdown_to_html in twig/markdown-extra, and Christophe Coevoet for extending the audit to inline_css in twig/cssinliner-extra.

Basic information

Type
reviewed
Severity
low
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-05-21 21:27:20 UTC
Updated
2026-05-21 21:27:21 UTC
GitHub reviewed
2026-05-21 21:27:20 UTC

EPSS Score

No EPSS score in this advisory JSON.

CVSS Scores

Base score Version Severity Vector
1.3 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network.
Attack complexity (AC:L)
Exploitation conditions are straightforward and stable.
Attack requirements (AT:N)
No additional preconditions are required beyond normal reachability.
Privileges required (PR:N)
No privileges are required.
User interaction (UI:P)
A user has to participate (for example click/open/approve).
Vulnerable system confidentiality impact (VC:N)
No confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:N)
No integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:N)
No availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:L)
Limited confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:L)
Limited integrity impact on subsequent systems.
Subsequent system availability impact (SA:N)
No availability impact on subsequent systems.
Exploit maturity (threat) (E:U)
Unreported: no public PoC, no reported exploitation, and no known simplification tools.

Identifiers

Type Value
GHSA GHSA-jv8m-2544-3pg3 ↗
CVE CVE-2026-46637 ↗

CWEs

CWE id Name
CWE-116 Improper Encoding or Escaping of Output

Affected packages (2)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
composer twig/markdown-extra < 3.26.0 3.26.0
composer twig/cssinliner-extra < 3.26.0 3.26.0

References

cvelogic Threat Intelligence