CVE-2026-33347

league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like youtube.com.evil passes the allowlist check when youtube.com is an allowed domain. This issue has been patched in version 2.8.2.

CVSS

No CVSS.

References

Link	Resource
https://github.com/thephpleague/commonmark/commit/59fb075d2101740c337c7216e3f32b36c204218b
https://github.com/thephpleague/commonmark/releases/tag/2.8.2
https://github.com/thephpleague/commonmark/security/advisories/GHSA-hh8v-hgvp-g3f5

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-24 20:16

Updated : 2026-03-25 15:41

NVD link : CVE-2026-33347

Mitre link : CVE-2026-33347

CVE.ORG link : CVE-2026-33347

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-185

Incorrect Regular Expression

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2026-33347", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-24T20:16:29.240", "references": [{"url": "https://github.com/thephpleague/commonmark/commit/59fb075d2101740c337c7216e3f32b36c204218b", "source": "security-advisories@github.com"}, {"url": "https://github.com/thephpleague/commonmark/releases/tag/2.8.2", "source": "security-advisories@github.com"}, {"url": "https://github.com/thephpleague/commonmark/security/advisories/GHSA-hh8v-hgvp-g3f5", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-185"}, {"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like youtube.com.evil passes the allowlist check when youtube.com is an allowed domain. This issue has been patched in version 2.8.2."}, {"lang": "es", "value": "league/commonmark es un analizador de Markdown de PHP. Desde la versi\u00f3n 2.3.0 hasta antes de la versi\u00f3n 2.8.2, el DomainFilteringAdapter en la extensi\u00f3n Embed es vulnerable a una omisi\u00f3n de la lista de permitidos debido a una aserci\u00f3n de l\u00edmite de nombre de host faltante en la expresi\u00f3n regular de coincidencia de dominio. Un dominio controlado por un atacante como youtube.com.evil pasa la verificaci\u00f3n de la lista de permitidos cuando youtube.com es un dominio permitido. Este problema ha sido parcheado en la versi\u00f3n 2.8.2."}], "lastModified": "2026-03-25T15:41:58.280", "sourceIdentifier": "security-advisories@github.com"}