anonhaven
Ad

CVE-2026-33347

MEDIUM CVSS 4.0: 6.3 EPSS 0.04%
Updated Mar 25, 2026
PHP
Parameter Value
CVSS 6.3 (MEDIUM)
Affected Versions before 2.8.2
Fixed In 2.8.2
Type CWE-918 (Server-Side Request Forgery (SSRF)), CWE-79 (Cross-Site Scripting (XSS)), CWE-185
Vendor PHP
Public PoC No

league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like youtube.com.evil passes the allowlist check when youtube.com is an allowed domain.

This issue has been patched in version 2.8.2.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
Present
Additional conditions required
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
None
No data leak
Integrity
Low
Partial data modification
Availability
None
No disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-918 Server-Side Request Forgery (SSRF)
CWE-79 Cross-Site Scripting (XSS)
CWE-185

References 3

https://github.com/thephpleague/commonmark/commit/59fb075d2101740c337c7216e3f32…
security-advisories@github.com
https://github.com/thephpleague/commonmark/releases/tag/2.8.2
security-advisories@github.com
https://github.com/thephpleague/commonmark/security/advisories/GHSA-hh8v-hgvp-g…
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-33993

PHP

6.9

CVE-2026-33991

PHP

8.8

CVE-2026-4973

PHP

5.1

CVE-2026-4972

PHP

4.8

CVE-2026-33765

PHP

8.9