Description
league/commonmark is a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disallowed HTML tag name and the closing >. For example, <script\n> would pass through unfiltered and be rendered as a valid HTML tag by browsers. This is a cross-site scripting (XSS) vector for any application that relies on this extension to sanitize untrusted user input. All applications using the DisallowedRawHtml extension to process untrusted markdown are affected. Applications that use a dedicated HTML sanitizer (such as HTML Purifier) on the rendered output are not affected. This issue has been patched in version 2.8.1.
Published: 2026-03-07
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting via Whitespace Bypass
Action: Patch Now
AI Analysis

Impact

The vulnerability is a flaw in the DisallowedRawHtml extension for the PHP Markdown parser league/commonmark, where inserting any ASCII whitespace between the tag name and the final ‘>’ bypasses the sanitizer. This allows disallowed tags like <script> to be rendered to the browser, enabling arbitrary JavaScript execution as an XSS vector. The weakness is an instance of CWE‑79, representing unsafe handling of user‑supplied markup.

Affected Systems

All installations of thephpleague:commonmark before version 2.8.1 that enable the DisallowedRawHtml extension are affected. This includes any PHP application that processes untrusted Markdown through the parser, such as web frameworks handling comments, posts, or API payloads. Applications that do not use this extension or that apply a separate HTML sanitizer after rendering are not vulnerable.

Risk and Exploitability

The CVSS base score of 5.1 indicates moderate severity, while an EPSS score of less than 1 % points to a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. An attacker can exploit the flaw remotely by injecting crafted Markdown containing whitespace‑delimited disallowed tags via any user‑contributed content field. No special privileges or local access are required; the attack vector is typical web‑based user input.

Generated by OpenCVE AI on April 17, 2026 at 12:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade thephpleague:commonmark to version 2.8.1 or later
  • Disable or remove the DisallowedRawHtml extension when rendering untrusted Markdown
  • Apply an additional HTML sanitizer, such as HTML Purifier, to the final output before sending it to browsers

Generated by OpenCVE AI on April 17, 2026 at 12:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4v6x-c7xx-hw9f CommonMark has DisallowedRawHtml extension bypass via whitespace in HTML tag names
History

Wed, 11 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:thephpleague:commonmark:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Mon, 09 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Thephpleague
Thephpleague commonmark
Vendors & Products Thephpleague
Thephpleague commonmark

Sat, 07 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description league/commonmark is a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disallowed HTML tag name and the closing >. For example, <script\n> would pass through unfiltered and be rendered as a valid HTML tag by browsers. This is a cross-site scripting (XSS) vector for any application that relies on this extension to sanitize untrusted user input. All applications using the DisallowedRawHtml extension to process untrusted markdown are affected. Applications that use a dedicated HTML sanitizer (such as HTML Purifier) on the rendered output are not affected. This issue has been patched in version 2.8.1.
Title league/commonmark: DisallowedRawHtml extension bypass via whitespace in HTML tag names
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Thephpleague Commonmark
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T18:26:15.482Z

Reserved: 2026-03-05T21:06:44.606Z

Link: CVE-2026-30838

cve-icon Vulnrichment

Updated: 2026-03-09T17:38:56.712Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-07T16:15:56.250

Modified: 2026-03-11T20:24:06.543

Link: CVE-2026-30838

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:15:18Z

Weaknesses