league/commonmark, Cross-site Scripting (XSS), CVE-2026-30838 (MEDIUM)

Listen to this Post

The league/commonmark library, a PHP Markdown parser, prior to version 2.8.1 contains a vulnerability in its DisallowedRawHtml extension. This extension is designed to filter out potentially dangerous HTML tags like <script>, <iframe>, and `