DEBIAN-CVE-2026-30838

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-30838

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-30838.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2026-30838

Upstream

CVE-2026-30838

Published

2026-03-07T16:15:56.250Z

Modified

2026-03-12T09:00:54.327740Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

league/commonmark is a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disallowed HTML tag name and the closing >. For example, <script\n> would pass through unfiltered and be rendered as a valid HTML tag by browsers. This is a cross-site scripting (XSS) vector for any application that relies on this extension to sanitize untrusted user input. All applications using the DisallowedRawHtml extension to process untrusted markdown are affected. Applications that use a dedicated HTML sanitizer (such as HTML Purifier) on the rendered output are not affected. This issue has been patched in version 2.8.1.

References

https://security-tracker.debian.org/tracker/CVE-2026-30838

Affected packages

Debian:11 / php-league-commonmark

Package

Name: php-league-commonmark
Purl: pkg:deb/debian/php-league-commonmark?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.5.7-2

1.5.8-1

1.6.2-1

1.6.6-1

1.6.7-1

2.*

2.1.1-1

2.2.0-1

2.2.1-1

2.2.2-1

2.2.3-1

2.3.3-1

2.3.3-2

2.3.3-3

2.3.4-1

2.3.5-1

2.3.6-1

2.3.7-1

2.3.8-1

2.3.9-1

2.4.0-1

2.4.1-1

2.4.2-1

2.4.2-2

2.5.0-1

2.5.1-1

2.5.3-1

2.6.0-1

2.6.1-1

2.6.1-2

2.6.2-1

2.7.0-1

2.7.1-1

2.7.1-2

2.8.0-1

2.8.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-30838.json"

Debian:12 / php-league-commonmark

Package

Name: php-league-commonmark
Purl: pkg:deb/debian/php-league-commonmark?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.3.9-1

2.4.0-1

2.4.1-1

2.4.2-1

2.4.2-2

2.5.0-1

2.5.1-1

2.5.3-1

2.6.0-1

2.6.1-1

2.6.1-2

2.6.2-1

2.7.0-1

2.7.1-1

2.7.1-2

2.8.0-1

2.8.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-30838.json"

Debian:13 / php-league-commonmark

Package

Name: php-league-commonmark
Purl: pkg:deb/debian/php-league-commonmark?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.7.0-1

2.7.1-1

2.7.1-2

2.8.0-1

2.8.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-30838.json"

Debian:14 / php-league-commonmark

Package

Name: php-league-commonmark
Purl: pkg:deb/debian/php-league-commonmark?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.8.1-1

Affected versions

2.*

2.7.0-1

2.7.1-1

2.7.1-2

2.8.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-30838.json"