GHSA-2g2g-8p8h-fgwmLow

Twig: XSS in profiler HtmlDumper via unescaped template and profile names

Published
June 5, 2026
Last Modified
June 5, 2026

🔗 CVE IDs covered (1)

📋 Description

Description

Twig\Profiler\Dumper\HtmlDumper writes Profile::getTemplate() and Profile::getName() straight into its HTML output without escaping:

protected function formatTemplate(Profile $profile, $prefix): string
{
    return \sprintf('%s└ <span style="background-color: %s">%s</span>', $prefix, self::$colors['template'], $profile->getTemplate());
}

The template name comes from the loader (the array key for ArrayLoader, a row id for a database-backed loader, etc.). When that name is attacker-controlled, the profiler dump emits arbitrary HTML, and any browser that renders it executes the injected markup. This is an output-encoding bug in profiler/debug tooling, not a sandbox escape.

Resolution

HtmlDumper now runs both Profile::getTemplate() and Profile::getName() through htmlspecialchars() before inserting them into the HTML output.

Credits

Twig would like to thank El Kharoubi Iosif for reporting the issue and Nicolas Grekas for fixing it.

🎯 Affected products1

  • composer/twig/twig:>= 3.0.0, < 3.26.0

🔗 References (5)