{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33347", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T22:15:11.814Z", "datePublished": "2026-03-24T19:26:23.872Z", "dateUpdated": "2026-03-26T19:52:12.754Z"}, "containers": {"cna": {"title": "league/commonmark has an embed extension allowed_domains bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-185", "lang": "en", "description": "CWE-185: Incorrect Regular Expression", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/thephpleague/commonmark/security/advisories/GHSA-hh8v-hgvp-g3f5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/thephpleague/commonmark/security/advisories/GHSA-hh8v-hgvp-g3f5"}, {"name": "https://github.com/thephpleague/commonmark/commit/59fb075d2101740c337c7216e3f32b36c204218b", "tags": ["x_refsource_MISC"], "url": "https://github.com/thephpleague/commonmark/commit/59fb075d2101740c337c7216e3f32b36c204218b"}, {"name": "https://github.com/thephpleague/commonmark/releases/tag/2.8.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/thephpleague/commonmark/releases/tag/2.8.2"}], "affected": [{"vendor": "thephpleague", "product": "commonmark", "versions": [{"version": ">= 2.3.0, < 2.8.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T19:26:23.872Z"}, "descriptions": [{"lang": "en", "value": "league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like youtube.com.evil passes the allowlist check when youtube.com is an allowed domain. This issue has been patched in version 2.8.2."}], "source": {"advisory": "GHSA-hh8v-hgvp-g3f5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33347", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T19:34:18.389527Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:52:12.754Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33347", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T19:34:18.389527Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:51:17.892Z"}}], "cna": {"title": "league/commonmark has an embed extension allowed_domains bypass", "source": {"advisory": "GHSA-hh8v-hgvp-g3f5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "thephpleague", "product": "commonmark", "versions": [{"status": "affected", "version": ">= 2.3.0, < 2.8.2"}]}], "references": [{"url": "https://github.com/thephpleague/commonmark/security/advisories/GHSA-hh8v-hgvp-g3f5", "name": "https://github.com/thephpleague/commonmark/security/advisories/GHSA-hh8v-hgvp-g3f5", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/thephpleague/commonmark/commit/59fb075d2101740c337c7216e3f32b36c204218b", "name": "https://github.com/thephpleague/commonmark/commit/59fb075d2101740c337c7216e3f32b36c204218b", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/thephpleague/commonmark/releases/tag/2.8.2", "name": "https://github.com/thephpleague/commonmark/releases/tag/2.8.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like youtube.com.evil passes the allowlist check when youtube.com is an allowed domain. This issue has been patched in version 2.8.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-185", "description": "CWE-185: Incorrect Regular Expression"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T19:26:23.872Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33347", "state": "PUBLISHED", "dateUpdated": "2026-03-26T19:52:12.754Z", "dateReserved": "2026-03-18T22:15:11.814Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-24T19:26:23.872Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:thephpleague:commonmark:*:*:*:*:*:*:*:*", "matchCriteriaId": "3AA5B677-3465-425F-BE92-CF6AD560CABF", "versionEndExcluding": "2.8.2", "versionStartIncluding": "2.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like youtube.com.evil passes the allowlist check when youtube.com is an allowed domain. This issue has been patched in version 2.8.2."}, {"lang": "es", "value": "league/commonmark es un analizador de Markdown de PHP. Desde la versi\u00f3n 2.3.0 hasta antes de la versi\u00f3n 2.8.2, el DomainFilteringAdapter en la extensi\u00f3n Embed es vulnerable a una omisi\u00f3n de la lista de permitidos debido a una aserci\u00f3n de l\u00edmite de nombre de host faltante en la expresi\u00f3n regular de coincidencia de dominio. Un dominio controlado por un atacante como youtube.com.evil pasa la verificaci\u00f3n de la lista de permitidos cuando youtube.com es un dominio permitido. Este problema ha sido parcheado en la versi\u00f3n 2.8.2."}], "id": "CVE-2026-33347", "lastModified": "2026-04-08T19:01:50.727", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-24T20:16:29.240", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/thephpleague/commonmark/commit/59fb075d2101740c337c7216e3f32b36c204218b"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/thephpleague/commonmark/releases/tag/2.8.2"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/thephpleague/commonmark/security/advisories/GHSA-hh8v-hgvp-g3f5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-185"}, {"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.3.0,2.8.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "commonmark", "source": "cna", "vendor": "thephpleague"}, "product": "commonmark", "vendor": "thephpleague"}], "analysis": {"en": {"generated_at": "2026-04-08T20:42:40.574461+00:00", "value": {"mitigation_remediation": ["Upgrade thephpleague/commonmark to version 2.8.2 or later.", "Rebuild the application to use the latest commonmark library.", "If upgrade is impossible, restrict the allowed domains list to avoid partial matches or disable the Embed extension.", "Verify that Markdown input is sanitized before rendering."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting via domain bypass"}, "threat_synthesis": {"affected_systems": "Versions 2.3.0 through 2.8.1 of thephpleague commonmark are affected. The vulnerability exists in the Embed extension\u2019s DomainFilteringAdapter before the patch in release 2.8.2. All installations using the unpatched library and accepting user\u2011supplied Markdown are potentially exposed.", "description_and_impact": "The DomainFilteringAdapter in the Embed extension misinterprets domain boundaries, allowing strings such as youtube.com.evil to pass the allowlist when youtube.com is permitted. An attacker can craft a Markdown document that includes such a domain in an embed, causing the commonmark parser to download or render content from a malicious site without the owner's permission. This flaw can lead to content injection or XSS in downstream contexts where rendered HTML is displayed.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 6.3 (moderate) and an EPSS below 1\u202f%, indicating low exploitation probability. It is not listed in CISA\u2019s KEV catalog. The likely attack vector is server\u2011side or client\u2011side code that accepts Markdown from an attacker. Attacker control of the Markdown content is required; no additional authentication or privilege is needed. Because the flaw is a simple allowlist bypass, it can be readily reproducible using the vulnerable merge function, making it a low\u2011effort exploit."}}}}, "created": "2026-03-25T11:46:15.874693+00:00", "updated": "2026-04-09T08:29:35.779859+00:00", "vendors": ["thephpleague", "thephpleague$PRODUCT$commonmark"]}