Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.1
Commonmark PHP Parser Fails to Block Malicious HTML
GHSA-4v6x-c7xx-hw9f
CVE-2026-30838
GHSA-4v6x-c7xx-hw9f
Summary
The Commonmark PHP Markdown parser failed to block malicious HTML code in some cases. This allowed attackers to inject malicious code into web pages, which could harm users. To fix this, update to Commonmark version 2.8.1 or later.
What to do
- Update league commonmark to version 2.8.1.
- Update league league/commonmark to version 2.8.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| league | commonmark | <= 2.8.0 | 2.8.1 |
| league | league/commonmark | <= 2.8.1 | 2.8.1 |
| thephpleague | commonmark | <= 2.8.1 | – |
Original title
league/commonmark is a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disall...
Original description
league/commonmark is a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disallowed HTML tag name and the closing >. For example, <script\n> would pass through unfiltered and be rendered as a valid HTML tag by browsers. This is a cross-site scripting (XSS) vector for any application that relies on this extension to sanitize untrusted user input. All applications using the DisallowedRawHtml extension to process untrusted markdown are affected. Applications that use a dedicated HTML sanitizer (such as HTML Purifier) on the rendered output are not affected. This issue has been patched in version 2.8.1.
ghsa CVSS4.0
5.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 7 Mar 2026