DEBIAN-CVE-2026-33347
- Source
- https://security-tracker.debian.org/tracker/CVE-2026-33347
- Import Source
- https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33347.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2026-33347
- Upstream
- Published
- 2026-03-24T20:16:29.240Z
- Modified
- 2026-04-09T11:18:46.285307Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like youtube.com.evil passes the allowlist check when youtube.com is an allowed domain. This issue has been patched in version 2.8.2.
- References
Affected packages
Debian:11 / php-league-commonmark
Package
- Name
- php-league-commonmark
- Purl
- pkg:deb/debian/php-league-commonmark?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
1.*
1.5.7-2
1.5.8-1
1.6.2-1
1.6.6-1
1.6.7-1
2.*
2.1.1-1
2.2.0-1
2.2.1-1
2.2.2-1
2.2.3-1
2.3.3-1
2.3.3-2
2.3.3-3
2.3.4-1
2.3.5-1
2.3.6-1
2.3.7-1
2.3.8-1
2.3.9-1
2.4.0-1
2.4.1-1
2.4.2-1
2.4.2-2
2.5.0-1
2.5.1-1
2.5.3-1
2.6.0-1
2.6.1-1
2.6.1-2
2.6.2-1
2.7.0-1
2.7.1-1
2.7.1-2
2.8.0-1
2.8.1-1
2.8.2-1
Debian:12 / php-league-commonmark
Package
- Name
- php-league-commonmark
- Purl
- pkg:deb/debian/php-league-commonmark?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Debian:13 / php-league-commonmark
Package
- Name
- php-league-commonmark
- Purl
- pkg:deb/debian/php-league-commonmark?arch=source
Debian:14 / php-league-commonmark
Package
- Name
- php-league-commonmark
- Purl
- pkg:deb/debian/php-league-commonmark?arch=source