{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33347", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T22:15:11.814Z", "datePublished": "2026-03-24T19:26:23.872Z", "dateUpdated": "2026-03-26T19:52:12.754Z"}, "containers": {"cna": {"title": "league/commonmark has an embed extension allowed_domains bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-185", "lang": "en", "description": "CWE-185: Incorrect Regular Expression", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/thephpleague/commonmark/security/advisories/GHSA-hh8v-hgvp-g3f5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/thephpleague/commonmark/security/advisories/GHSA-hh8v-hgvp-g3f5"}, {"name": "https://github.com/thephpleague/commonmark/commit/59fb075d2101740c337c7216e3f32b36c204218b", "tags": ["x_refsource_MISC"], "url": "https://github.com/thephpleague/commonmark/commit/59fb075d2101740c337c7216e3f32b36c204218b"}, {"name": "https://github.com/thephpleague/commonmark/releases/tag/2.8.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/thephpleague/commonmark/releases/tag/2.8.2"}], "affected": [{"vendor": "thephpleague", "product": "commonmark", "versions": [{"version": ">= 2.3.0, < 2.8.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T19:26:23.872Z"}, "descriptions": [{"lang": "en", "value": "league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like youtube.com.evil passes the allowlist check when youtube.com is an allowed domain. This issue has been patched in version 2.8.2."}], "source": {"advisory": "GHSA-hh8v-hgvp-g3f5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33347", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T19:34:18.389527Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:52:12.754Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like youtube.com.evil passes the allowlist check when youtube.com is an allowed domain. This issue has been patched in version 2.8.2."}], "id": "CVE-2026-33347", "lastModified": "2026-03-25T15:41:58.280", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-24T20:16:29.240", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/thephpleague/commonmark/commit/59fb075d2101740c337c7216e3f32b36c204218b"}, {"source": "security-advisories@github.com", "url": "https://github.com/thephpleague/commonmark/releases/tag/2.8.2"}, {"source": "security-advisories@github.com", "url": "https://github.com/thephpleague/commonmark/security/advisories/GHSA-hh8v-hgvp-g3f5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-185"}, {"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.3.0,2.8.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "commonmark", "source": "cna", "vendor": "thephpleague"}, "product": "commonmark", "vendor": "thephpleague"}], "analysis": {"en": {"generated_at": "2026-03-24T20:21:09.317149+00:00", "value": {"mitigation_remediation": ["Upgrade league/commonmark to version 2.8.2 or later.", "If upgrading is not immediately feasible, restrict the allowlist of domains and enforce strict hostname boundary matching in the regular expression so that subdomain tricks such as youtube.com.evil are rejected.", "Validate all incoming URLs and hard\u2011code approved patterns to prevent accidental acceptance of malicious domains."], "summary": {"action": "Patch Now", "impact": "Allows arbitrary domain embedding, enabling malicious content injection (XSS)."}, "threat_synthesis": {"affected_systems": "This flaw affects the PHP Markdown parser library league/commonmark released by thephpleague. All versions from 2.3.0 up through 2.8.1 are vulnerable. The fix is bundled in release 2.8.2 and later.", "description_and_impact": "The DomainFilteringAdapter in the Embed extension contains a regular-expression flaw that permits an attacker to bypass the allowlist of approved domains. By submitting a domain such as youtube.com.evil, an input that would normally be blocked, a user can cause the parser to embed content from any external host. This can result in the injection of malicious markup or scripts, leading to cross\u2011site scripting or other content\u2011based exploitation in environments that render the generated HTML.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 6.3, indicating medium severity. No EPSS score is available and the issue is not listed in the CISA KEV catalog. An attacker needs only the ability to supply Markdown that the application processes; no authentication is required. The straightforward input\u2011control flaw makes exploitation easy in applications that rely on the library to render user\u2011generated content, giving attackers a reliable path to inject harmful scripts or data."}}}}, "created": "2026-03-25T11:46:15.874693+00:00", "updated": "2026-03-25T20:57:40.913860+00:00", "vendors": ["thephpleague", "thephpleague$PRODUCT$commonmark"]}