PT-2026-42631 — Twig/Cssinliner-Extra+1

PT-2026-42631 · Packagist · Twig/Cssinliner-Extra+1

Published

2026-05-21

Updated

2026-05-21

CVSS v4.0

1.3

Low

Vector

AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U

Description

Several filters in the twig/* extras packages are registered with is safe => ['all'], which tells Twig's autoescaper to treat their output as safe in every context (html, js, css, url, ...). The output of these filters is plain text or HTML markup, neither of which is safe in every escaping context.

Affected filters:

html to markdown (twig/markdown-extra) emits plain Markdown text. league/html-to-markdown decodes HTML entities when producing code spans and fenced blocks, so an attacker-controlled <code><img src=x onerror=alert(1)></code> becomes `<img src=x onerror=alert(1)>`, which renders live when interpolated into an HTML page.
markdown to html (twig/markdown-extra) emits HTML. Safe in an HTML context but not in JS, CSS or URL contexts (e.g. when interpolated into an inline <script> block).
inline css (twig/cssinliner-extra) emits HTML with inlined styles. Same constraint as markdown to html.

In all three cases, is safe => ['all'] causes the autoescaper to emit the output verbatim in any context, even when the developer never wrote |raw. In a context such as a JS string or a URL parameter, this produces unescaped HTML and is exploitable as XSS.

Resolution

html to markdown no longer claims to be safe in any escaping context; its plain-text output is now autoescaped for the surrounding context.
markdown to html and inline css are now declared is safe => ['html'], asserting only what they actually guarantee.

Credits

Twig would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix for html to markdown and markdown to html in twig/markdown-extra, and Christophe Coevoet for extending the audit to inline css in twig/cssinliner-extra.

Exploit

Fix

Improper Encoding or Escaping of Output

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-116

Related Identifiers

GHSA-JV8M-2544-3PG3

Affected Products

Twig/Cssinliner-Extra