CVE-2026-47730: 
PHP Analyse et atténuation des vulnérabilités

CVE-2026-47730 is a Cross-Site Scripting (XSS) vulnerability in Twig's Twig\Profiler\Dumper\HtmlDumper component, caused by unescaped template and profile names written directly into HTML profiler output. It affects twig/twig versions >= 3.0.0 and < 3.26.0 (Composer package). The vulnerability was first published on May 20, 2026, and patched in version 3.26.0 released the same day. It is rated Low severity by GitHub Advisory (GHSA-2g2g-8p8h-fgwm), though Feedly estimates it as High based on CWE-79 classification (GitHub Advisory, Twig Release).

The root cause is an output-encoding defect (CWE-79) in HtmlDumper::formatTemplate(), which calls sprintf() to embed Profile::getTemplate() and Profile::getName() directly into an HTML string without applying htmlspecialchars() or any other escaping. The template name originates from the loader — for example, the array key in ArrayLoader or a database row ID in a database-backed loader — meaning any system that allows attacker-controlled template names can trigger the injection. When a developer or administrator views the profiler dump in a browser, the injected HTML markup is rendered and executed. The fix applies htmlspecialchars() to both getTemplate() and getName() outputs before HTML insertion (GitHub Advisory, Twig Security Advisory).

Successful exploitation allows an attacker who can control a Twig template name (e.g., via an ArrayLoader key or a database-backed loader entry) to inject arbitrary HTML and JavaScript into the Twig profiler dump output. Any browser rendering the profiler page will execute the injected markup, potentially enabling session hijacking, credential theft, or further attacks against developers or administrators who view the profiler. Because this vulnerability is confined to profiler/debug tooling rather than production template rendering, the practical impact is limited to environments where the profiler is enabled and its output is accessible to untrusted parties (GitHub Advisory, Feedly).

Upgrade twig/twig to version 3.26.0 or later, which applies htmlspecialchars() to both Profile::getTemplate() and Profile::getName() before inserting them into HTML output (Twig Release, GitHub Advisory). If immediate patching is not possible, restrict access to profiler and debug tooling outputs to trusted internal users only, and avoid exposing profiler dumps to any untrusted audience. Additionally, ensure that template names sourced from user-controlled inputs (e.g., database rows, API parameters) are validated and sanitized at the application level before being passed to Twig loaders.

Symfony published an official CVE advisory and blog post at symfony.com/cve-2026-47730, and the fix was included in the Twig 3.26.0 release announcement on the Symfony blog (Symfony Blog). A Reddit thread in r/symfony discussed the CVE shortly after disclosure, reflecting community awareness but no significant alarm given the Low severity rating and limited attack surface. Tenable added Nessus detection plugins (IDs 316021 and 318004) for the vulnerability, and Linux distribution security trackers (e.g., Debian) flagged it for package updates (Feedly).