CVE-2026-33347

league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like youtube.com.evil passes the allowlist check when youtube.com is an allowed domain. This issue has been patched in version 2.8.2.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/thephpleague/commonmark/commit/59fb075d2101740c337c7216e3f32b36c204218b	Patch
https://github.com/thephpleague/commonmark/releases/tag/2.8.2	Product Release Notes
https://github.com/thephpleague/commonmark/security/advisories/GHSA-hh8v-hgvp-g3f5	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:thephpleague:commonmark:*:*:*:*:*:*:*:*

History

08 Apr 2026, 19:01

Type	Values Removed	Values Added
Summary		(es) league/commonmark es un analizador de Markdown de PHP. Desde la versión 2.3.0 hasta antes de la versión 2.8.2, el DomainFilteringAdapter en la extensión Embed es vulnerable a una omisión de la lista de permitidos debido a una aserción de límite de nombre de host faltante en la expresión regular de coincidencia de dominio. Un dominio controlado por un atacante como youtube.com.evil pasa la verificación de la lista de permitidos cuando youtube.com es un dominio permitido. Este problema ha sido parcheado en la versión 2.8.2.
References	~~() https://github.com/thephpleague/commonmark/commit/59fb075d2101740c337c7216e3f32b36c204218b -~~	() https://github.com/thephpleague/commonmark/commit/59fb075d2101740c337c7216e3f32b36c204218b - Patch
References	~~() https://github.com/thephpleague/commonmark/releases/tag/2.8.2 -~~	() https://github.com/thephpleague/commonmark/releases/tag/2.8.2 - Product, Release Notes
References	~~() https://github.com/thephpleague/commonmark/security/advisories/GHSA-hh8v-hgvp-g3f5 -~~	() https://github.com/thephpleague/commonmark/security/advisories/GHSA-hh8v-hgvp-g3f5 - Mitigation, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.1
First Time		Thephpleague Thephpleague commonmark
CPE		cpe:2.3:a:thephpleague:commonmark::::::::

24 Mar 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-24 20:16

Updated : 2026-04-08 19:01

NVD link : CVE-2026-33347

Mitre link : CVE-2026-33347

CVE.ORG link : CVE-2026-33347

JSON object : View

Products Affected

thephpleague

commonmark

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-185

Incorrect Regular Expression

CWE-918

Server-Side Request Forgery (SSRF)

6.1 /10