Thephpleague's commonmark is a widely used PHP library for parsing Markdown into HTML. Its DisallowedRawHtml extension is designed to prevent raw HTML tags from being rendered, thereby mitigating XSS risks when processing untrusted markdown input. However, prior to version 2.8.1, this extension fails to properly neutralize input containing disallowed HTML tags if an attacker inserts ASCII whitespace characters such as newlines or tabs between the tag name and the closing '>'. For example, the tag <script\n> bypasses the filter and is interpreted by browsers as a valid script tag, enabling cross-site scripting attacks. This vulnerability stems from improper input validation and sanitization during web page generation (CWE-79). The vulnerability affects all applications using the DisallowedRawHtml extension on untrusted markdown without additional HTML sanitization. Applications that apply a dedicated HTML sanitizer like HTML Purifier on the rendered output remain protected. The vulnerability has a CVSS 4.0 base score of 5.1 (medium severity), reflecting its network attack vector, low attack complexity, no privileges required, but requiring user interaction and limited impact on confidentiality and integrity. No known exploits have been reported in the wild. The issue was publicly disclosed on March 7, 2026, and fixed in version 2.8.1 of commonmark.

Successful exploitation of this vulnerability allows attackers to inject malicious scripts into web pages rendered from untrusted markdown input, leading to cross-site scripting attacks. This can result in session hijacking, credential theft, defacement, or redirection to malicious sites, compromising user confidentiality and integrity. The impact is particularly significant for web applications that rely solely on the DisallowedRawHtml extension for sanitization without additional HTML filtering. Since the vulnerability can be exploited remotely over the network without authentication, any publicly accessible application using affected versions is at risk. However, the requirement for user interaction (e.g., a victim viewing the malicious markdown content) limits automated widespread exploitation. The vulnerability does not affect availability directly but can undermine user trust and lead to reputational damage. Organizations processing user-generated markdown content with the vulnerable library are most at risk.

1. Upgrade thephpleague commonmark library to version 2.8.1 or later, where the vulnerability is patched. 2. If immediate upgrade is not possible, implement additional HTML sanitization on the rendered output using robust libraries such as HTML Purifier to neutralize any malicious tags or scripts. 3. Review and restrict markdown input sources to trusted users where feasible to reduce exposure. 4. Employ Content Security Policy (CSP) headers to limit the impact of potential XSS by restricting script execution and resource loading. 5. Conduct thorough security testing of markdown processing workflows to detect any residual injection vectors. 6. Educate developers and content managers about the risks of relying solely on DisallowedRawHtml for sanitization. 7. Monitor application logs and user reports for suspicious activity indicative of XSS exploitation attempts.