CVE-2026-33347 in commonmark
Summary
by MITRE • 03/24/2026
league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like youtube.com.evil passes the allowlist check when youtube.com is an allowed domain. This issue has been patched in version 2.8.2.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/09/2026
The CVE-2026-33347 vulnerability affects the league/commonmark PHP Markdown parser library, specifically impacting versions between 2.3.0 and 2.8.1 inclusive. This security flaw resides within the Embed extension's DomainFilteringAdapter component which is responsible for validating external domains when processing embedded content. The vulnerability represents a classic allowlist bypass scenario where malicious actors can exploit improper hostname validation logic to circumvent security controls designed to restrict external content embedding. The issue stems from insufficient boundary assertions in the regular expression pattern used for domain matching, creating a pathway for attackers to inject malicious domains that appear to be legitimate extensions of allowed domains.
The technical flaw manifests through a missing hostname boundary assertion in the domain-matching regular expression, allowing domains with trailing periods to pass validation checks. When an attacker supplies a domain such as youtube.com.evil, the validation logic incorrectly permits this malicious domain because it matches the allowed domain youtube.com while ignoring the additional subdomain component. This regex boundary failure creates a security gap where the system treats youtube.com.evil as equivalent to youtube.com, effectively bypassing the intended allowlist restrictions. The vulnerability directly maps to CWE-20: Improper Input Validation, specifically manifesting as a regex-based input validation weakness that fails to properly enforce domain boundaries.
The operational impact of this vulnerability extends beyond simple content filtering, potentially enabling attackers to inject malicious content from unauthorized domains. When the DomainFilteringAdapter processes embedded content, it should only permit domains explicitly listed in the allowlist, but this flaw allows attackers to create subdomains that inherit the trust relationship of legitimate domains. This could enable various attack vectors including cross-site scripting payloads, phishing attempts, or the injection of malicious scripts from domains that appear to be legitimate extensions of allowed services. The vulnerability particularly affects web applications that rely on commonmark for processing user-generated content containing embedded media, as it creates an avenue for attackers to bypass security controls that should prevent external content embedding from untrusted sources.
Security mitigations for this vulnerability require updating to version 2.8.2 or later where the patched DomainFilteringAdapter properly implements hostname boundary assertions in its regular expressions. Organizations should conduct immediate vulnerability assessments to identify applications using affected versions of the league/commonmark library and prioritize patching efforts. Additionally, system administrators should implement monitoring for unusual domain patterns in embedded content processing and consider implementing additional validation layers beyond the library's built-in allowlist functionality. This vulnerability demonstrates the critical importance of proper input validation and boundary checking in security-critical components, aligning with ATT&CK technique T1213.002: Data from Information Repositories, where improper validation can lead to unauthorized data access or injection attacks. The fix addresses the root cause by ensuring that domain validation strictly enforces hostname boundaries, preventing the type of bypass that allowed malicious domains to masquerade as legitimate extensions of authorized domains.