PT-2026-23795 · Unknown+2 · League/Commonmark+2
Colinodell
·
Published
2026-03-06
·
Updated
2026-04-21
·
CVE-2026-30838
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
league/commonmark versions prior to 2.8.1
Description
The
DisallowedRawHtml extension in league/commonmark can be bypassed by inserting ASCII whitespace characters between a disallowed HTML tag name and the closing '>'. For example, `<script` would pass through unfiltered and be rendered as a valid HTML tag by browsers. This creates a cross-site scripting (XSS) vector for applications relying on this extension to sanitize untrusted user input. Applications using a dedicated HTML sanitizer, such as HTML Purifier, on the rendered output are not affected. The issue stems from a regex character class that did not match all whitespace characters accepted by browsers as valid tag name terminators.
Recommendations
Versions prior to 2.8.1 should be updated to version 2.8.1 or later.
As a workaround, set the
html input configuration option to 'escape' or 'strip' to disable all raw HTML.
Pass the rendered HTML through a dedicated HTML sanitizer before serving it to users.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Linuxmint
Ubuntu
League/Commonmark