4 matches found
CVE-2019-10010
CVE-2019-10010 affects the PHP League CommonMark library (versions up to and including 0.18.2). The vulnerability arises in the renderer when double-encoded HTML entities are not properly escaped, allowing an attacker to craft links that execute unsafe code (XSS). The issue is fixed in 0.18.3, wh...
CVE-2018-20583
The PHP League CommonMark library (versions 0.15.6–0.18.x before 0.18.1) is affected by CVE-2018-20583: an XSS flaw that lets remote attackers insert unsafe URLs into HTML via newline-encoded strings (e.g., javascri%0apt), even when allow_unsafe_links is false. Remediation: upgrade to 0.18.1 or l...
CVE-2026-30838
CVE-2026-30838 affects league/commonmark, a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting ASCII whitespace between a disallowed HTML tag name and the closing >, e.g., , enabling a cross-site scripting (XSS) vector for applications tha...
CVE-2026-33347
Summary: CVE-2026-33347 affects league/commonmark’s Embed extension DomainFilteringAdapter. A missing hostname boundary assertion in the domain-matching regex allows an attacker-controlled domain (e.g., youtube.com.evil) to bypass the allowlist, potentially treating untrusted content as allowed. ...