CVE-2026-46637
Twig is a template language for PHP. Prior to 3.26.0, several filters in twig/markdown-extra and twig/cssinliner-extra are registered with i
CVSS
5.4
Medium
EPSS
0.2%
p7
KEV
—
Exploit Today
2
0-100
Published: Jul 14, 2026 · Last modified: Jul 16, 2026 · CWE-116 · CWE-79
0.2%EPSS · 30 days0.3%
2026-07-152026-07-17
Twig is a template language for PHP. Prior to 3.26.0, several filters in twig/markdown-extra and twig/cssinliner-extra are registered with is_safe => [all], causing Twig to treat plain text or HTML output as safe in HTML, JavaScript, CSS, URL, and other contexts where the output is not properly escaped. This issue is fixed in version 3.26.0.
- github.comhttps://github.com/twigphp/Twig/commit/84982072c79a7417b0d158a401d91344f3658299
- github.comhttps://github.com/twigphp/Twig/commit/e36489d3521ecbfc08bdcc61294302557035f14a
- github.comhttps://github.com/twigphp/Twig/releases/tag/v3.26.0
- github.comhttps://github.com/twigphp/Twig/security/advisories/GHSA-jv8m-2544-3pg3
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2021-252996.1 MED99.9%
——30Nagios XI version xi-5.7.5 is affected by cross-site scripting (XSS). The vulnerability exists in the file /usr/local/nagiosxi/html/admin/sshterm.php due to improper sanitization of user-controlled input. A maliciously crafted URL, when clicked by an admin user, can be used to steal his/her session cookies or it can be chained with the previous bugs to get one-click remote command execution (RCE) on the Nagios XI server.9dCVE-2021-364506.1 MED99.2%
——30Verint Workforce Optimization (WFO) 15.2.8.10048 allows XSS via the control/my_notifications NEWUINAV parameter.9dCVE-2023-414256.1 MED98.9%
——30Cross Site Scripting vulnerability in Wonder CMS v.3.2.0 thru v.3.4.2 allows a remote attacker to execute arbitrary code via a crafted script uploaded to the installModule component.9dCVE-2022-330986.1 MED98.8%
——30Magnolia CMS v6.2.19 was discovered to contain a cross-site scripting (XSS) vulnerability via the Edit Contact function. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted SVG document, with JavaScript, for a profile picture.9dCVE-2025-441489.8 CRI98.8%
——30Cross Site Scripting (XSS) vulnerability in MailEnable before v10 allows a remote attacker to execute arbitrary code via the failure.aspx component13dCVE-2022-365335.4 MED98.5%
——30Super Flexible Software GmbH & Co. KG Syncovery 9 for Linux v9.47x and below was discovered to contain a cross-site scripting (XSS) vulnerability.9d