CVE-2026-46628

Name of the Vulnerable Software and Affected Versions Twig (affected versions not specified)

Description The spaceless filter is registered with is safe => ['html'], causing Twig's autoescaper to skip escaping its output in HTML contexts. This allows attacker-controlled input containing markup to be emitted unescaped, even when autoescape is enabled and the |raw filter is not used. This filter is deprecated but remains functional, and some downstream projects, such as Drupal modules, have duplicated the filter and inherited the same behavior.

Recommendations Update to a version where the spaceless filter no longer marks its output as safe. Avoid applying the spaceless filter to unsanitized user input.