CVE-2026-33347
Received Received - Intake
Allowlist Bypass in league/commonmark Embed DomainFilteringAdapter

Publication date: 2026-03-24

Last updated on: 2026-04-08

Assigner: GitHub, Inc.

Description
league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like youtube.com.evil passes the allowlist check when youtube.com is an allowed domain. This issue has been patched in version 2.8.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-04-08
Generated
2026-05-07
AI Q&A
2026-03-24
EPSS Evaluated
2026-05-05
NVD
CVE-2026-33347
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
thephpleague commonmark From 2.3.0 (inc) to 2.8.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
CWE-185 The product specifies a regular expression in a way that causes data to be improperly matched or compared.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability exists in the league/commonmark PHP Markdown parser, specifically in the DomainFilteringAdapter of its Embed extension. Between versions 2.3.0 and before 2.8.2, the domain-matching regular expression used to enforce an allowlist of domains lacks a proper hostname boundary assertion. This flaw allows an attacker to bypass the allowlist by using crafted domains such as youtube.com.evil, which incorrectly passes the check when youtube.com is an allowed domain.

This issue was fixed in version 2.8.2 of league/commonmark.


How can this vulnerability impact me? :

This vulnerability can allow attackers to bypass domain allowlists and potentially embed or link to malicious or unauthorized content by using crafted domain names that appear to be allowed domains but are actually controlled by attackers.

As a result, users or applications relying on the domain allowlist for security may be exposed to phishing, malware distribution, or other malicious activities through seemingly trusted embedded content.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade the league/commonmark package to version 2.8.2 or later, where the issue has been patched.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart