149 matches found
CVE-2026-30838
CVE-2026-30838 affects league/commonmark, a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting ASCII whitespace between a disallowed HTML tag name and the closing >, e.g., , enabling a cross-site scripting (XSS) vector for applications tha...
CVE-2026-30838 league/commonmark: DisallowedRawHtml extension bypass via whitespace in HTML tag names
league/commonmark is a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disallowed HTML tag name and the closing . For example, would pass through unfiltered and be rendered as a...
CVE-2026-30838 league/commonmark: DisallowedRawHtml extension bypass via whitespace in HTML tag names
league/commonmark is a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disallowed HTML tag name and the closing . For example, would pass through unfiltered and be rendered as a...
Cross-site Scripting (XSS)
league/commonmark is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper filtering of disallowed HTML tags that can be bypassed using whitespace characters, which allows an attacker to inject and execute malicious scripts...
commonmark 跨站脚本漏洞
Commonmark is a highly scalable PHP Markdown parser developed by The League of Extraordinary Packages. It fully supports the CommonMark and GFM specifications. Versions of Commonmark prior to 2.8.1 had a cross-site scripting vulnerability. This vulnerability stemmed from the DisallowedRawHtml...
GHSA-4V6X-C7XX-HW9F CommonMark has DisallowedRawHtml extension bypass via whitespace in HTML tag names
Impact The DisallowedRawHtml extension can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disallowed HTML tag name and the closing . For example, would pass through unfiltered and be rendered as a valid HTML tag by browsers. This is a cross-site scripting X...
PT-2026-23795
Name of the Vulnerable Software and Affected Versions league/commonmark versions prior to 2.8.1 Description The DisallowedRawHtml extension in league/commonmark can be bypassed by inserting ASCII whitespace characters between a disallowed HTML tag name and the closing ''. For example, would pass...
EUVD-2023-41361
Malicious code in bioql PyPI...
EUVD-2023-26633
Malicious code in bioql PyPI...
EUVD-2025-13411
Malicious code in bioql PyPI...
EUVD-2022-5057
Malicious code in bioql PyPI...
EUVD-2025-28874
Malicious code in bioql PyPI...
Linux Distros Unpatched Vulnerability : CVE-2025-9670
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A security flaw has been discovered in mixmark-io turndown up to 7.2.1. This affects an unknown function of the file src/commonmark-rules.js. Performing...
CVE-2025-9670
A security flaw has been discovered in mixmark-io turndown up to 7.2.1. This affects an unknown function of the file src/commonmark-rules.js. Performing manipulation results in inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been released...
Regular Expression Denial of Service (ReDoS)
Overview org.webjars.npm:turndown is an A library that converts HTML to Markdown Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the replacement function in commonmark-rules.js. An attacker can cause excessive resource consumption. PoC js const...
Regular Expression Denial of Service (ReDoS)
Overview turndown is an A library that converts HTML to Markdown Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the replacement function in commonmark-rules.js. An attacker can cause excessive resource consumption. PoC js const attackString =...
CVE-2025-9670
A security flaw has been discovered in mixmark-io turndown up to 7.2.1. This affects an unknown function of the file src/commonmark-rules.js. Performing manipulation results in inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been released...
CVE-2025-9670
A security flaw has been discovered in mixmark-io turndown up to 7.2.1. This affects an unknown function of the file src/commonmark-rules.js. Performing manipulation results in inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been released...
UBUNTU-CVE-2025-9670
A security flaw has been discovered in mixmark-io turndown up to 7.2.1. This affects an unknown function of the file src/commonmark-rules.js. Performing manipulation results in inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been released...
CVE-2025-9670
CVE-2025-9670 concerns mixmark-io turndown up to 7.2.1, with a vulnerability in src/commonmark-rules.js that leads to inefficient regular-expression handling. IBM Security SOAR versions 51.0.7.x and earlier are affected; IBM recommends upgrading to v51.0.8.0 to address the issue. The vulnerabilit...