Fluid Attacks Database

Description

league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like youtube.com.evil passes the allowlist check when youtube.com is an allowed domain. This issue has been patched in version 2.8.2.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	league/commonmark	>=2.3.0 <2.8.2	2.8.2
debian 14	php-league-commonmark	=2.7.0-1 \|\| =2.7.1-1 \|\| =2.7.1-2 \|\| =2.8.0-1 \|\| =2.8.1-1 \|\| >=0 <2.8.2-1	2.8.2-1
debian 11	php-league-commonmark	=1.5.7-2 \|\| =1.5.8-1 \|\| =1.6.2-1 \|\| =1.6.6-1 \|\| =1.6.7-1 \|\| =2.1.1-1 \|\| =2.2.0-1 \|\| =2.2.1-1 \|\| =2.2.2-1 \|\| =2.2.3-1 \|\| =2.3.3-1 \|\| =2.3.3-2 \|\| =2.3.3-3 \|\| =2.3.4-1 \|\| =2.3.5-1 \|\| =2.3.6-1 \|\| =2.3.7-1 \|\| =2.3.8-1 \|\| =2.3.9-1 \|\| =2.4.0-1 \|\| =2.4.1-1 \|\| =2.4.2-1 \|\| =2.4.2-2 \|\| =2.5.0-1 \|\| =2.5.1-1 \|\| =2.5.3-1 \|\| =2.6.0-1 \|\| =2.6.1-1 \|\| =2.6.1-2 \|\| =2.6.2-1 \|\| =2.7.0-1 \|\| =2.7.1-1 \|\| =2.7.1-2 \|\| =2.8.0-1 \|\| =2.8.1-1 \|\| =2.8.2-1	-
debian 12	php-league-commonmark	=2.3.9-1 \|\| =2.4.0-1 \|\| =2.4.1-1 \|\| =2.4.2-1 \|\| =2.4.2-2 \|\| =2.5.0-1 \|\| =2.5.1-1 \|\| =2.5.3-1 \|\| =2.6.0-1 \|\| =2.6.1-1 \|\| =2.6.1-2 \|\| =2.6.2-1 \|\| =2.7.0-1 \|\| =2.7.1-1 \|\| =2.7.1-2 \|\| =2.8.0-1 \|\| =2.8.1-1 \|\| =2.8.2-1	-
debian 13	php-league-commonmark	=2.7.0-1 \|\| =2.7.1-1 \|\| =2.7.1-2 \|\| =2.8.0-1 \|\| =2.8.1-1 \|\| =2.8.2-1	-

Aliases

1. CVE-2026-333472. NVD-2026-333473. OSV-2026-333474. OSV-DEBIAN-2026-333475. GHSA-hh8v-hgvp-g3f56. GCVE-2026-333477. SECURITY-TRACKER-CVE-2026-33347

References

1. https://github.com/thephpleague/commonmark/security/advisories/GHSA-hh8v-hgvp-g3f5

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.