PT-2026-42176 · Unknown · Markdown-Extra+1
Published
2026-05-20
·
Updated
2026-05-21
·
CVE-2026-46637
CVSS v4.0
1.3
Low
| Vector | AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U |
Name of the Vulnerable Software and Affected Versions
twig/markdown-extra (affected versions not specified)
twig/cssinliner-extra (affected versions not specified)
Description
Several filters in the
twig/* extras packages are incorrectly registered with is safe => ['all'], which instructs the autoescaper to treat the output as safe in all contexts, including HTML, JS, CSS, and URL. This leads to unescaped output being emitted verbatim even without the use of the |raw filter, potentially resulting in Cross-Site Scripting (XSS).Specific affected filters include:
html to markdown(twig/markdown-extra): Emits plain Markdown text. Becauseleague/html-to-markdowndecodes HTML entities in code spans and fenced blocks, attacker-controlled input can render live HTML.markdown to html(twig/markdown-extra): Emits HTML, which is unsafe when interpolated into JS, CSS, or URL contexts, such as inline<script>blocks.inline css(twig/cssinliner-extra): Emits HTML with inlined styles and shares the same constraints asmarkdown to html.
Recommendations
For
twig/markdown-extra, update to a version where html to markdown no longer claims to be safe in any escaping context and markdown to html is declared as is safe => ['html'].
For twig/cssinliner-extra, update to a version where inline css is declared as is safe => ['html'].Exploit
Fix
Improper Encoding or Escaping of Output
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cssinliner-Extra
Markdown-Extra