Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.3
League Commonmark Markdown Parser: XSS Through HTML Tag Bypass
DEBIAN-CVE-2026-30838
Summary
A security issue in the League Commonmark PHP Markdown parser, prior to version 2.8.1, can allow malicious code to be executed. This affects any application that uses this parser to sanitize user input, but not those that use a separate HTML sanitizer. Update to version 2.8.1 or later to fix the issue.
What to do
- Update debian php-league-commonmark to version 2.8.1-1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| debian | php-league-commonmark | All versions | – |
| debian | php-league-commonmark | All versions | – |
| debian | php-league-commonmark | All versions | – |
| debian | php-league-commonmark | <= 2.8.1-1 | 2.8.1-1 |
Original title
league/commonmark is a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disall...
Original description
league/commonmark is a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disallowed HTML tag name and the closing >. For example, <script\n> would pass through unfiltered and be rendered as a valid HTML tag by browsers. This is a cross-site scripting (XSS) vector for any application that relies on this extension to sanitize untrusted user input. All applications using the DisallowedRawHtml extension to process untrusted markdown are affected. Applications that use a dedicated HTML sanitizer (such as HTML Purifier) on the rendered output are not affected. This issue has been patched in version 2.8.1.
osv CVSS4.0
7.3
- https://security-tracker.debian.org/tracker/CVE-2026-30838 Vendor Advisory
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026