league/commonmark
Packagist4 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting league/commonmarkpage 1 of 1
- CVE-2018-20583MEDIUMCVSS 6.1EG 6.1✓ Fixed in 0.18.12018-12-30
vulnerable: 0.15.6 ... 0.18.0 (10 versions)
Cross-site scripting (XSS) vulnerability in the PHP League CommonMark library versions 0.15.6 through 0.18.x before 0.18.1 allows remote attackers to insert unsafe URLs into HTML (even if allow_unsafe_links is false) via a newline characte…
- CVE-2019-10010MEDIUMCVSS 6.1EG 6.1✓ Fixed in 0.18.32019-03-24
vulnerable: 0.1.0 ... 0.9.0 (46 versions)
Cross-site scripting (XSS) vulnerability in the PHP League CommonMark library before 0.18.3 allows remote attackers to insert unsafe links into HTML by using double-encoded HTML entities that are not properly escaped during rendering, a di…
- CVE-2025-46734MEDIUMCVSS 6.4EG 6.4✓ Fixed in 2.7.02025-05-05
vulnerable: 1.5.0 ... 2.6.2 (59 versions)
league/commonmark is a PHP Markdown parser. A cross-site scripting (XSS) vulnerability in the Attributes extension of the league/commonmark library (versions 1.5.0 through 2.6.x) allows remote attackers to insert malicious JavaScript calls…
- CVE-2026-33347MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.8.22026-03-24
vulnerable: 2.3.0 ... 2.8.1 (26 versions)
league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-match…
Check whether league/commonmark is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for league/commonmark CVEs against the assets you own.
Start Free Scan →