UBUNTU-CVE-2026-30838

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2026-30838
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-30838.json
JSON Data
https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2026-30838
Upstream
Downstream
Published
2026-03-07T16:15:00Z
Modified
2026-04-22T20:34:18.202753Z
Severity
  • 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N CVSS Calculator
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

league/commonmark is a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disallowed HTML tag name and the closing >. For example, <script\n> would pass through unfiltered and be rendered as a valid HTML tag by browsers. This is a cross-site scripting (XSS) vector for any application that relies on this extension to sanitize untrusted user input. All applications using the DisallowedRawHtml extension to process untrusted markdown are affected. Applications that use a dedicated HTML sanitizer (such as HTML Purifier) on the rendered output are not affected. This issue has been patched in version 2.8.1.

References

Affected packages

Ubuntu:Pro:20.04:LTS / php-league-commonmark

Package

Name
php-league-commonmark
Purl
pkg:deb/ubuntu/php-league-commonmark@1.3.1-1ubuntu2+esm1?arch=source&distro=esm-apps/focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.1.2-1
1.2.0-1
1.3.0-1
1.3.1-1
1.3.1-1ubuntu2
1.3.1-1ubuntu2+esm1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "php-league-commonmark",
            "binary_version": "1.3.1-1ubuntu2+esm1"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-30838.json"

Ubuntu:Pro:22.04:LTS / php-league-commonmark

Package

Name
php-league-commonmark
Purl
pkg:deb/ubuntu/php-league-commonmark@1.6.7-1ubuntu0.1~esm1?arch=source&distro=esm-apps/jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.5.7-2build1
1.6.6-1build1
1.6.7-1
1.6.7-1ubuntu0.1~esm1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "php-league-commonmark",
            "binary_version": "1.6.7-1ubuntu0.1~esm1"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-30838.json"

Ubuntu:Pro:24.04:LTS / php-league-commonmark

Package

Name
php-league-commonmark
Purl
pkg:deb/ubuntu/php-league-commonmark@2.4.2-2ubuntu0.1~esm1?arch=source&distro=esm-apps/noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.3.9-1
2.4.1-1
2.4.2-1
2.4.2-2
2.4.2-2ubuntu0.1~esm1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "php-league-commonmark",
            "binary_version": "2.4.2-2ubuntu0.1~esm1"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-30838.json"

Ubuntu:25.10 / php-league-commonmark

Package

Name
php-league-commonmark
Purl
pkg:deb/ubuntu/php-league-commonmark@2.7.0-1?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.6.1-2
2.6.2-1
2.7.0-1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "php-league-commonmark",
            "binary_version": "2.7.0-1"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-30838.json"