Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS : league/commonmark vulnerabilities (USN-8194-1)

The remote Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-8194-1 advisory. It was discovered that league/commonmark did not properly restrict unsafe attributes when the Attributes extension was enabled. A...

USN-8194-1 php-league-commonmark vulnerabilities

It was discovered that league/commonmark did not properly restrict unsafe attributes when the Attributes extension was enabled. An attacker could possibly use this issue to cause cross-site scripting by injecting malicious code into rendered HTML. This issue only affected Ubuntu 22.04 LTS and...

USN-8194-1: league/commonmark vulnerabilities

It was discovered that league/commonmark did not properly restrict unsafe attributes when the Attributes extension was enabled. An attacker could possibly use this issue to cause cross-site scripting by injecting malicious code into rendered HTML. This issue only affected Ubuntu 22.04 LTS and...

CVE-2026-33347

league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like...

UBUNTU-CVE-2026-33347

league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like...

CVE-2026-33347

league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like...

CVE-2026-33347

league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like...

CVE-2026-33347

Summary: CVE-2026-33347 affects league/commonmark’s Embed extension DomainFilteringAdapter. A missing hostname boundary assertion in the domain-matching regex allows an attacker-controlled domain (e.g., youtube.com.evil) to bypass the allowlist, potentially treating untrusted content as allowed. ...

CVE-2026-33347 league/commonmark has an embed extension allowed_domains bypass

league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like...

CVE-2026-33347 league/commonmark has an embed extension allowed_domains bypass

league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like...

CVE-2026-33347 league/commonmark has an embed extension allowed_domains bypass

league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like...

commonmark 代码问题漏洞

Commonmark is a highly scalable PHP Markdown parser developed by The League of Extraordinary Packages. It fully supports the CommonMark and GFM specifications. Versions of Commonmark from 2.3.0 to 2.8.2 had code vulnerabilities. These vulnerabilities stemmed from the DomainFilteringAdapter in the...

Linux Distros Unpatched Vulnerability : CVE-2026-33347

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an...

Linux Distros Unpatched Vulnerability : CVE-2026-30838

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - league/commonmark is a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting a newline, tab, or other ASCII...

CVE-2026-30838

league/commonmark is a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disallowed HTML tag name and the closing . For example, would pass through unfiltered and be rendered as a...

DEBIAN-CVE-2026-30838

league/commonmark is a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disallowed HTML tag name and the closing . For example, would pass through unfiltered and be rendered as a...

CVE-2026-30838

league/commonmark is a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disallowed HTML tag name and the closing . For example, would pass through unfiltered and be rendered as a...

CVE-2026-30838

league/commonmark is a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disallowed HTML tag name and the closing . For example, would pass through unfiltered and be rendered as a...

CVE-2026-30838

league/commonmark is a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disallowed HTML tag name and the closing . For example, would pass through unfiltered and be rendered as a...

CVE-2026-30838 league/commonmark: DisallowedRawHtml extension bypass via whitespace in HTML tag names

league/commonmark is a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disallowed HTML tag name and the closing . For example, would pass through unfiltered and be rendered as a...