GHSA-hh8v-hgvp-g3f5

Source

https://github.com/advisories/GHSA-hh8v-hgvp-g3f5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-hh8v-hgvp-g3f5/GHSA-hh8v-hgvp-g3f5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-hh8v-hgvp-g3f5

Aliases

CVE-2026-33347

Published

2026-03-19T19:04:24Z

Modified

2026-03-20T21:35:43.532793Z

Severity

6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N CVSS Calculator

Summary

league/commonmark has an embed extension allowed_domains bypass

Details

Impact

The DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like youtube.com.evil passes the allowlist check when youtube.com is an allowed domain.

This enables two attack vectors:

SSRF: The OscaroteroEmbedAdapter makes server-side HTTP requests to the embed URL via the embed/embed library. A bypassed domain filter causes the server to make outbound requests to an attacker-controlled host, potentially probing internal services or exfiltrating request metadata.
XSS: EmbedRenderer outputs the oEmbed response HTML directly into the page with no sanitization. An attacker controlling the bypassed domain can return arbitrary HTML/JavaScript in their oEmbed response, which is rendered verbatim.

Any application using the Embed extension and relying on allowed_domains to restrict domains when processing untrusted Markdown input is affected.

Patches

This has been patched in version 2.8.2. The fix replaces the regex-based domain check with explicit hostname parsing using parse_url(), ensuring exact domain and subdomain matching only.

Workarounds

Disable the Embed extension, or restrict its use to trusted users
Provide your own domain-filtering implementation of EmbedAdapterInterface
Enable a Content Security Policy (CSP) and outbound firewall restrictions

References

https://commonmark.thephpleague.com/2.x/extensions/embed/#configuration

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-19T19:04:24Z",
    "cwe_ids": [
        "CWE-185",
        "CWE-79",
        "CWE-918"
    ],
    "nvd_published_at": null,
    "severity": "MODERATE"
}

References

Affected packages

Packagist / league/commonmark

Package

Name: league/commonmark
Purl: pkg:composer/league/commonmark

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.3.0

Fixed

2.8.2

Affected versions

2.*

2.3.0

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.3.8

2.3.9

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.5.0

2.5.1

2.5.2

2.5.3

2.6.0

2.6.1

2.6.2

2.7.0

2.7.1

2.8.0

2.8.1

Database specific

last_known_affected_version_range

"<= 2.8.1"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-hh8v-hgvp-g3f5/GHSA-hh8v-hgvp-g3f5.json"