XSS in Thephpleague Commonmark

CVE-2026-30838

league/commonmark is a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disallowed HTML tag name and the closing >. For…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (3.7th percentile) — read the EPSS interpretation.