CVE-2026-33347
Received Received - Intake
Allowlist Bypass in league/commonmark Embed DomainFilteringAdapter

Publication date: 2026-03-24

Last updated on: 2026-04-08

Assigner: GitHub, Inc.

Description
league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like youtube.com.evil passes the allowlist check when youtube.com is an allowed domain. This issue has been patched in version 2.8.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2026-03-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33347
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
thephpleague commonmark From 2.3.0 (inc) to 2.8.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-185 The product specifies a regular expression in a way that causes data to be improperly matched or compared.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the league/commonmark PHP Markdown parser, specifically in the DomainFilteringAdapter of its Embed extension. Between versions 2.3.0 and before 2.8.2, the domain-matching regular expression used to enforce an allowlist of domains lacks a proper hostname boundary assertion. This flaw allows an attacker to bypass the allowlist by using crafted domains such as youtube.com.evil, which incorrectly passes the check when youtube.com is an allowed domain.

This issue was fixed in version 2.8.2 of league/commonmark.

Impact Analysis

This vulnerability can allow attackers to bypass domain allowlists and potentially embed or link to malicious or unauthorized content by using crafted domain names that appear to be allowed domains but are actually controlled by attackers.

As a result, users or applications relying on the domain allowlist for security may be exposed to phishing, malware distribution, or other malicious activities through seemingly trusted embedded content.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the league/commonmark package to version 2.8.2 or later, where the issue has been patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33347. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart