CVE-2026-46637 Twig: HTML-output filters in twig/* extras incorrectly declared `is_safe => ['all']`
Twig is a template language for PHP. Prior to 3.26.0, several filters in twig/markdown-extra and twig/cssinliner-extra are registered with issafe = all, causing Twig to treat plain text or HTML output as safe in HTML, JavaScript, CSS, URL, and other contexts where the output is not properly...