CVE-2026-30838 MEDIUM

CVE-2026-30838: league/commonmark: DisallowedRawHtml extension bypass via whitespace in HTML tag names

Vendor Thephpleague
Product commonmark
Weakness CWE-79 · XSS
Published March 7, 2026
Last update March 9, 2026
View on NVD All CVEs

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

league/commonmark is a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disallowed HTML tag name and the closing >. For example, <script\n> would pass through unfiltered and be rendered as a valid HTML tag by browsers. This is a cross-site scripting (XSS) vector for any application that relies on this extension to sanitize untrusted user input. All applications using the DisallowedRawHtml extension to process untrusted markdown are affected. Applications that use a dedicated HTML sanitizer (such as HTML Purifier) on the rendered output are not affected. This issue has been patched in version 2.8.1.

Key dates

02Disclosure timeline

March 7, 2026 CVE published
March 9, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-11378 Bizapp for WooCommerce <= 2.0.8 - Reflected Cross-Site Scripting CVE-2025-15248 sunhailin12315 product-review 商品评价系统 Write a Review cross site scripting CVE-2023-28636 GLPI vulnerable to stored Cross-site Scripting in external links CVE-2024-43267 WordPress Mega Addons For Elementor plugin <= 1.9 - Cross Site Scripting (XSS) vulnerability CVE-2026-7296 SourceCodester Pizzafy Ecommerce System ajax.php save_order cross site scripting