CVE-2026-33347

Name of the Vulnerable Software and Affected Versions league/commonmark versions 2.3.0 through 2.8.1

Description The DomainFilteringAdapter within the Embed extension is susceptible to an allowlist bypass because of a missing hostname boundary assertion in the domain-matching regular expression. A malicious domain, such as youtube.com.evil, can pass the allowlist check when youtube.com is a permitted domain. This allows for two potential attack vectors: Server-Side Request Forgery (SSRF) and Cross-Site Scripting (XSS). The OscaroteroEmbedAdapter makes server-side HTTP requests to the embed URL, and a bypassed domain filter could lead to requests to attacker-controlled hosts. The EmbedRenderer outputs the oEmbed response HTML directly into the page without sanitization, allowing an attacker controlling the bypassed domain to return arbitrary HTML/JavaScript.

Recommendations Update to version 2.8.2 or later. Disable the Embed extension. Provide a custom domain-filtering implementation of EmbedAdapterInterface. Enable a Content Security Policy (CSP) and outbound firewall restrictions.