Description
league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like youtube.com.evil passes the allowlist check when youtube.com is an allowed domain. This issue has been patched in version 2.8.2.
Published: 2026-03-24
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting via domain bypass
Action: Patch
AI Analysis

Impact

The DomainFilteringAdapter in the Embed extension misinterprets domain boundaries, allowing strings such as youtube.com.evil to pass the allowlist when youtube.com is permitted. An attacker can craft a Markdown document that includes such a domain in an embed, causing the commonmark parser to download or render content from a malicious site without the owner's permission. This flaw can lead to content injection or XSS in downstream contexts where rendered HTML is displayed.

Affected Systems

Versions 2.3.0 through 2.8.1 of thephpleague commonmark are affected. The vulnerability exists in the Embed extension’s DomainFilteringAdapter before the patch in release 2.8.2. All installations using the unpatched library and accepting user‑supplied Markdown are potentially exposed.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.3 (moderate) and an EPSS below 1 %, indicating low exploitation probability. It is not listed in CISA’s KEV catalog. The likely attack vector is server‑side or client‑side code that accepts Markdown from an attacker. Attacker control of the Markdown content is required; no additional authentication or privilege is needed. Because the flaw is a simple allowlist bypass, it can be readily reproducible using the vulnerable merge function, making it a low‑effort exploit.

Generated by OpenCVE AI on April 8, 2026 at 20:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade thephpleague/commonmark to version 2.8.2 or later.
  • Rebuild the application to use the latest commonmark library.
  • If upgrade is impossible, restrict the allowed domains list to avoid partial matches or disable the Embed extension.
  • Verify that Markdown input is sanitized before rendering.

Generated by OpenCVE AI on April 8, 2026 at 20:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hh8v-hgvp-g3f5 league/commonmark has an embed extension allowed_domains bypass
History

Wed, 08 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:thephpleague:commonmark:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Thephpleague
Thephpleague commonmark
Vendors & Products Thephpleague
Thephpleague commonmark

Tue, 24 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like youtube.com.evil passes the allowlist check when youtube.com is an allowed domain. This issue has been patched in version 2.8.2.
Title league/commonmark has an embed extension allowed_domains bypass
Weaknesses CWE-185
CWE-79
CWE-918
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Thephpleague Commonmark
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T19:52:12.754Z

Reserved: 2026-03-18T22:15:11.814Z

Link: CVE-2026-33347

cve-icon Vulnrichment

Updated: 2026-03-26T19:51:17.892Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T20:16:29.240

Modified: 2026-04-08T19:01:50.727

Link: CVE-2026-33347

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:29:35Z

Weaknesses