Skip to content

Twig: XSS in profiler HtmlDumper via unescaped template and profile names

Low severity GitHub Reviewed Published May 20, 2026 in twigphp/Twig • Updated Jun 5, 2026

Package

composer twig/twig (Composer)

Affected versions

>= 3.0.0, < 3.26.0

Patched versions

3.26.0

Description

Description

Twig\Profiler\Dumper\HtmlDumper writes Profile::getTemplate() and Profile::getName() straight into its HTML output without escaping:

protected function formatTemplate(Profile $profile, $prefix): string
{
    return \sprintf('%s└ <span style="background-color: %s">%s</span>', $prefix, self::$colors['template'], $profile->getTemplate());
}

The template name comes from the loader (the array key for ArrayLoader, a row id for a database-backed loader, etc.). When that name is attacker-controlled, the profiler dump emits arbitrary HTML, and any browser that renders it executes the injected markup. This is an output-encoding bug in profiler/debug tooling, not a sandbox escape.

Resolution

HtmlDumper now runs both Profile::getTemplate() and Profile::getName() through htmlspecialchars() before inserting them into the HTML output.

Credits

Twig would like to thank El Kharoubi Iosif for reporting the issue and Nicolas Grekas for fixing it.

References

@nicolas-grekas nicolas-grekas published to twigphp/Twig May 20, 2026
Published to the GitHub Advisory Database Jun 5, 2026
Reviewed Jun 5, 2026
Last updated Jun 5, 2026

Severity

Low

EPSS score

Weaknesses

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Learn more on MITRE.

CVE ID

CVE-2026-47730

GHSA ID

GHSA-2g2g-8p8h-fgwm

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.