CVE-2026-33347

league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like youtube.com.evil passes the allowlist check when youtube.com is an allowed domain. This issue has been patched in version 2.8.2.

league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like youtube.com.evil passes the allowlist check when youtube.com is an allowed domain. This issue has been patched in version 2.8.2.

### Impact The `DomainFilteringAdapter` in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like `youtube.com.evil` passes the allowlist check when `youtube.com` is an allowed domain. This enables two attack vectors: - **SSRF**: The `OscaroteroEmbedAdapter` makes server-side HTTP requests to the embed URL via the `embed/embed` library. A bypassed domain filter causes the server to make outbound requests to an attacker-controlled host, potentially probing internal services or exfiltrating request metadata. - **XSS**: `EmbedRenderer` outputs the oEmbed response HTML directly into the page with no sanitization. An attacker controlling the bypassed domain can return arbitrary HTML/JavaScript in their oEmbed response, which is rendered verbatim. Any application using the `Embed` extension and relying on `allowed_domains` to restrict domains when processing untrusted Markdown input is affected. ### Patches This has been patched in version **2.8.2**. The fix replaces the regex-based domain check with explicit hostname parsing using `parse_url()`, ensuring exact domain and subdomain matching only. ### Workarounds - Disable the `Embed` extension, or restrict its use to trusted users - Provide your own domain-filtering implementation of `EmbedAdapterInterface` - Enable a [Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) and outbound firewall restrictions

### Impact The `DomainFilteringAdapter` in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like `youtube.com.evil` passes the allowlist check when `youtube.com` is an allowed domain. This enables two attack vectors: - **SSRF**: The `OscaroteroEmbedAdapter` makes server-side HTTP requests to the embed URL via the `embed/embed` library. A bypassed domain filter causes the server to make outbound requests to an attacker-controlled host, potentially probing internal services or exfiltrating request metadata. - **XSS**: `EmbedRenderer` outputs the oEmbed response HTML directly into the page with no sanitization. An attacker controlling the bypassed domain can return arbitrary HTML/JavaScript in their oEmbed response, which is rendered verbatim. Any application using the `Embed` extension and relying on `allowed_domains` to restrict domains when processing untrusted Markdown input is affected. ### Patches This has been patched in version **2.8.2**. The fix replaces the regex-based domain check with explicit hostname parsing using `parse_url()`, ensuring exact domain and subdomain matching only. ### Workarounds - Disable the `Embed` extension, or restrict its use to trusted users - Provide your own domain-filtering implementation of `EmbedAdapterInterface` - Enable a [Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) and outbound firewall restrictions

league/commonmark es un analizador de Markdown de PHP. Desde la versión 2.3.0 hasta antes de la versión 2.8.2, el DomainFilteringAdapter en la extensión Embed es vulnerable a una omisión de la lista de permitidos debido a una aserción de límite de nombre de host faltante en la expresión regular de coincidencia de dominio. Un dominio controlado por un atacante como youtube.com.evil pasa la verificación de la lista de permitidos cuando youtube.com es un dominio permitido. Este problema ha sido parcheado en la versión 2.8.2.