CVE-2026-33347 is a cross-site scripting vulnerability identified in thephpleague's commonmark PHP Markdown parser, specifically within the DomainFilteringAdapter component of the Embed extension. The vulnerability arises from an improper regular expression used for domain allowlist validation, which lacks a hostname boundary assertion. This flaw allows attacker-controlled domains that append additional subdomains or suffixes (e.g., youtube.com.evil) to bypass the allowlist check intended to restrict embedding to trusted domains like youtube.com. When the vulnerable versions (>= 2.3.0 and < 2.8.2) process Markdown content containing embedded URLs, the DomainFilteringAdapter fails to correctly validate the domain, enabling malicious content injection. This can lead to reflected or stored XSS attacks, where an attacker can execute arbitrary JavaScript in the context of the victim's browser, potentially stealing session tokens, performing actions on behalf of the user, or delivering further payloads. The vulnerability does not require authentication or user interaction, increasing its risk profile. The issue was addressed in version 2.8.2 by correcting the regex to properly assert domain boundaries, preventing allowlist bypass. No known exploits have been reported in the wild as of the publication date. The CVSS 4.0 base score is 6.3 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and limited impact on confidentiality and integrity.

The primary impact of CVE-2026-33347 is the potential for cross-site scripting attacks in web applications that use thephpleague commonmark library with the Embed extension enabled and rely on domain allowlisting for security. Successful exploitation can lead to unauthorized script execution in users' browsers, resulting in session hijacking, credential theft, defacement, or further malware delivery. This can damage organizational reputation, lead to data breaches, and cause regulatory compliance issues. Since the vulnerability can be exploited remotely without authentication or user interaction, it poses a significant risk to any public-facing web service using affected versions. The scope is limited to applications that embed external content via the vulnerable component, but given the popularity of PHP and Markdown parsers in content management systems, blogs, and developer tools, the affected attack surface is broad. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits following disclosure.

Organizations should immediately upgrade thephpleague commonmark library to version 2.8.2 or later, where the vulnerability is patched. For environments where immediate upgrade is not feasible, applying custom patches to fix the domain-matching regex by adding proper hostname boundary assertions can mitigate the risk. Additionally, implement defense-in-depth by sanitizing and validating all user-generated content before processing with Markdown parsers. Employ Content Security Policy (CSP) headers to restrict script execution and reduce the impact of potential XSS. Monitor logs for unusual embedding attempts or suspicious domain patterns that resemble allowlist bypass attempts. Conduct regular security code reviews and dependency audits to detect similar issues proactively. Finally, educate developers on secure regex construction and the risks of improper input validation in web content generation.