CVE-2026-30838
Received Received - Intake
XSS Vulnerability in league/commonmark DisallowedRawHtml Extension

Publication date: 2026-03-07

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
league/commonmark is a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disallowed HTML tag name and the closing >. For example, <script\n> would pass through unfiltered and be rendered as a valid HTML tag by browsers. This is a cross-site scripting (XSS) vector for any application that relies on this extension to sanitize untrusted user input. All applications using the DisallowedRawHtml extension to process untrusted markdown are affected. Applications that use a dedicated HTML sanitizer (such as HTML Purifier) on the rendered output are not affected. This issue has been patched in version 2.8.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-07
Last Modified
2026-03-11
Generated
2026-05-07
AI Q&A
2026-03-07
EPSS Evaluated
2026-05-05
NVD
CVE-2026-30838
EUVD
EUVD-2026-10168
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
thephpleague commonmark to 2.8.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-30838 is a moderate severity cross-site scripting (XSS) vulnerability in the DisallowedRawHtml extension of the league/commonmark PHP Markdown parser package, affecting versions up to and including 2.8.0.

The vulnerability occurs because the extension fails to properly sanitize disallowed HTML tags when whitespace characters (such as newline, tab, or other ASCII whitespace) are inserted between the tag name and the closing angle bracket. For example, a tag like <script\n> would bypass the filter and be interpreted by browsers as a valid HTML tag.

This allows malicious scripts to execute in applications that rely on this extension to sanitize untrusted markdown input, leading to XSS attacks.

The issue was fixed in version 2.8.1 by improving the regular expression to correctly match all whitespace characters that browsers accept as valid tag name terminators.


How can this vulnerability impact me? :

[{'type': 'paragraph', 'content': 'This vulnerability can lead to cross-site scripting (XSS) attacks in applications that use the DisallowedRawHtml extension to process untrusted markdown input.'}, {'type': 'paragraph', 'content': "An attacker can inject malicious scripts by inserting whitespace characters in disallowed HTML tags, which bypasses the sanitization and executes in the context of the user's browser."}, {'type': 'paragraph', 'content': 'The impact includes potential low integrity and confidentiality risks, such as unauthorized script execution, which could lead to session hijacking, defacement, or other malicious actions within the affected application.'}, {'type': 'paragraph', 'content': 'Applications that use a dedicated HTML sanitizer on the rendered output are not affected.'}] [1]


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability involves the DisallowedRawHtml extension of the league/commonmark package failing to sanitize disallowed HTML tags when whitespace characters are inserted between the tag name and the closing angle bracket. Detection involves identifying if your application uses league/commonmark versions up to 2.8.0 with this extension enabled and processing untrusted markdown input.'}, {'type': 'paragraph', 'content': 'To detect potential exploitation attempts on your system or network, you can search logs or input fields for suspicious HTML tags containing whitespace characters before the closing bracket, such as <script\\n> or similar variants.'}, {'type': 'paragraph', 'content': 'Example commands to search for such patterns in logs or input data include:'}, {'type': 'list_item', 'content': "Using grep to find suspicious tags in log files: grep -P '<script\\s*>' /path/to/logfile"}, {'type': 'list_item', 'content': "Using grep to find any disallowed HTML tags with whitespace before closing bracket: grep -P '<(script|iframe|img|object)\\s+>' /path/to/logfile"}, {'type': 'paragraph', 'content': 'Additionally, verify the version of league/commonmark in your project dependencies to confirm if it is vulnerable.'}] [1]


What immediate steps should I take to mitigate this vulnerability?

[{'type': 'paragraph', 'content': 'The primary mitigation is to upgrade the league/commonmark package to version 2.8.1 or later, where the vulnerability has been patched.'}, {'type': 'paragraph', 'content': "If upgrading immediately is not possible, you can apply workarounds such as configuring the html_input option to 'escape' or 'strip' to disable all raw HTML processing, which is more restrictive but prevents bypass."}, {'type': 'paragraph', 'content': 'Another mitigation is to pass the rendered HTML output through a dedicated HTML sanitizer (e.g., HTML Purifier) before serving it to users, which neutralizes any malicious tags.'}, {'type': 'paragraph', 'content': 'Review your application to ensure it does not rely solely on the DisallowedRawHtml extension for sanitization of untrusted markdown input.'}] [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart