HTML-output filters in twig/* extras incorrectly declared `is_safe => ['all']`

PKSA-fs5b-x5k4-1h39 CVE-2026-46637

Affected package: twig/cssinliner-extra

Affected version: >=2.12.0,<3.0.0|>=3.0.0,<3.26.0

Reported by:
FriendsOfPHP/security-advisories