CVE-2026-46628: Twig: The `spaceless` filter implicitly marks its output as safe

May 21, 2026

The spaceless filter is registered with is_safe => ['html'], which means Twig’s autoescaper does not escape its output in an HTML context. As a result, applying spaceless to attacker-controlled input that contains markup emits the markup unescaped even when the developer never wrote |raw and autoescape is enabled.

Example:

{% set payload = '<script>alert()</script>' %}
{{ payload }}          {# escaped #}
{{ payload|spaceless }} {# not escaped #}

The filter is deprecated but still functional. With the deprecation, some downstream projects (e.g. Drupal modules) have duplicated the filter and inherited the same is_safe flag.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-46628 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →