Affected versions

Twig versions >=3.0.0, <3.26.0 are affected by this security issue.

The issue has been fixed in Twig 3.26.0.

Description

Twig\Profiler\Dumper\HtmlDumper writes Profile::getTemplate() and Profile::getName() straight into its HTML output without escaping:

        1
2
3
4
        protected function formatTemplate(Profile $profile, $prefix): string
{
    return \sprintf('%s└ <span style="background-color: %s">%s</span>', $prefix, self::$colors['template'], $profile->getTemplate());
}
    

The template name comes from the loader (the array key for ArrayLoader, a row id for a database-backed loader, etc.). When that name is attacker-controlled, the profiler dump emits arbitrary HTML, and any browser that renders it executes the injected markup. This is an output-encoding bug in profiler/debug tooling, not a sandbox escape.

Resolution

HtmlDumper now runs both Profile::getTemplate() and Profile::getName() through htmlspecialchars() before inserting them into the HTML output.

Credits

We would like to thank El Kharoubi Iosif for reporting the issue and Nicolas Grekas for fixing it.

Published in #Security Advisories #Twig

CVE-2026-47730 XSS in profiler HtmlDumper via unescaped template and profile names

Affected versions

Description

Resolution

Credits

Comments

Become a Symfony contributor