CVE-2026-33347

UNKNOWN 0.0

league/commonmark has an embed extension allowed_domains bypass

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

13th

league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like youtube.com.evil passes the allowlist check when youtube.com is an allowed domain. This issue has been patched in version 2.8.2.

CWE	CWE-79 CWE-185 CWE-918
Vendor	thephpleague
Product	commonmark
Published	Mar 24, 2026
Last Updated	Mar 26, 2026

Stay Ahead of the Next One

Get instant alerts for thephpleague commonmark

Be the first to know when new unknown vulnerabilities affecting thephpleague commonmark are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

thephpleague / commonmark

>= 2.3.0, < 2.8.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/thephpleague/commonmark/security/advisories/GHSA-hh8v-hgvp-g3f5 github.com: https://github.com/thephpleague/commonmark/commit/59fb075d2101740c337c7216e3f32b36c204218b github.com: https://github.com/thephpleague/commonmark/releases/tag/2.8.2