CVE-2026-30838

MEDIUM

league/commonmark < 2.8.1 - Cross-Site Scripting via DisallowedRawHtml Extension Bypass

Title source: llm

Description

league/commonmark is a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disallowed HTML tag name and the closing >. For example, <script\n> would pass through unfiltered and be rendered as a valid HTML tag by browsers. This is a cross-site scripting (XSS) vector for any application that relies on this extension to sanitize untrusted user input. All applications using the DisallowedRawHtml extension to process untrusted markdown are affected. Applications that use a dedicated HTML sanitizer (such as HTML Purifier) on the rendered output are not affected. This issue has been patched in version 2.8.1.

References (1)

Core 1

Core References

Vendor Advisory x_refsource_confirm

https://github.com/thephpleague/commonmark/security/advisories/GHSA-4v6x-c7xx-hw9f

Scores

CVSS v3 6.1

EPSS 0.0022

EPSS Percentile 12.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

league/commonmark 0 - 2.8.1Packagist

thephpleague/commonmark < 2.8.1

Published Mar 07, 2026

Tracked Since Mar 07, 2026