CVE-2026-30838 in commonmark
Summary
by MITRE • 03/07/2026
league/commonmark is a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disallowed HTML tag name and the closing >. For example, <script\n> would pass through unfiltered and be rendered as a valid HTML tag by browsers. This is a cross-site scripting (XSS) vector for any application that relies on this extension to sanitize untrusted user input. All applications using the DisallowedRawHtml extension to process untrusted markdown are affected. Applications that use a dedicated HTML sanitizer (such as HTML Purifier) on the rendered output are not affected. This issue has been patched in version 2.8.1.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/09/2026
The vulnerability CVE-2026-30838 affects the league/commonmark PHP Markdown parser, specifically targeting the DisallowedRawHtml extension that is designed to prevent execution of potentially dangerous HTML tags within Markdown content. This weakness represents a classic input validation bypass where the security mechanism fails to properly sanitize user input due to insufficient character validation. The flaw allows attackers to circumvent the intended protection by inserting whitespace characters such as newlines, tabs, or other ASCII whitespace between the HTML tag name and its closing angle bracket, effectively transforming what should be filtered content into executable code.
The technical implementation of this vulnerability stems from the extension's inadequate parsing logic that does not account for whitespace characters that are typically ignored in HTML parsing but can be leveraged to bypass security controls. When a malicious actor submits content like `<script >`, the parser fails to recognize this as a disallowed raw HTML tag because the whitespace character between the tag name and the closing bracket prevents the proper matching against the disallowed pattern. This creates a false positive where the content passes through the sanitization layer unfiltered, allowing the browser to interpret it as legitimate HTML and execute any embedded JavaScript code. The vulnerability directly maps to CWE-79, which describes Cross-Site Scripting flaws, and specifically demonstrates how improper neutralization of special characters can lead to code execution in web applications.
The operational impact of this vulnerability is significant for applications that rely on the DisallowedRawHtml extension as their primary security mechanism for processing untrusted Markdown input. Any web application allowing user-generated content that gets parsed through this library becomes susceptible to XSS attacks, potentially allowing attackers to inject malicious scripts that can steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users. The attack vector is particularly concerning because it requires minimal effort from attackers and can be easily automated, making it a preferred method for exploitation in many web application penetration testing scenarios. This vulnerability affects the core security model of the library and demonstrates the critical importance of proper input validation and sanitization in security-sensitive components.
Organizations using affected versions of league/commonmark should immediately upgrade to version 2.8.1 where the patch has been implemented to address the whitespace character bypass issue. The fix ensures that all forms of whitespace characters between HTML tag names and their closing brackets are properly recognized and handled according to the extension's intended security policy. Applications that implement additional HTML sanitization layers using tools like HTML Purifier or similar security-focused libraries are not affected by this specific vulnerability, as these tools provide independent protection mechanisms that operate outside the scope of the DisallowedRawHtml extension's bypass. Security teams should conduct thorough assessments of their applications to identify all instances where this library is used and verify that proper upgrade procedures have been implemented across all environments. The vulnerability also highlights the importance of comprehensive testing for security controls, particularly in scenarios involving character encoding and whitespace handling that can be exploited in subtle ways to bypass intended protections.