league/commonmark vulnerabilities
Published: Tue, 21 Apr 2026 17:25
Summary
Several security issues were fixed in league/commonmark.
Details
It was discovered that league/commonmark did not properly restrict unsafe attributes when the Attributes extension was enabled. An attacker could possibly use this issue to cause cross-site scripting by injecting malicious code into rendered HTML. This issue only affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. (CVE-2025-46734) It was discovered that league/commonmark did not properly block certain disallowed HTML tags in some cases. An attacker could possibly use this issue to cause cross-site scripting by inserting malicious HTML that bypassed filtering. (CVE-2026-30838) It was discovered that league/commonmark did not properly enforce domain allowlist checks in the Embed extension. An attacker could possibly use this issue to bypass domain restrictions and cause untrusted content to be treated as allowed. This issue only affected Ubuntu 24.04 LTS. (CVE-2026-33347)
Recommended actions per Ubuntu release
StackPatch playbook auto-generated per release codename and per affected package.
Ubuntu focal
php-league-commonmark→1.3.1-1ubuntu2+esm1apt_upgradeStandard apt upgrade. Install 1.3.1-1ubuntu2+esm1 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y php-league-commonmark
Most apt upgrades restart their service automatically. needrestart lists anything else.
php-league-commonmark→1.3.1-1ubuntu2+esm1apt_upgradeStandard apt upgrade. Install 1.3.1-1ubuntu2+esm1 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y php-league-commonmark
Most apt upgrades restart their service automatically. needrestart lists anything else.
Ubuntu jammy
php-league-commonmark→1.6.7-1ubuntu0.1~esm1apt_upgrade_esmFixed at 1.6.7-1ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
sudo pro attach <token> sudo apt-get update sudo apt-get install --only-upgrade -y php-league-commonmark=1.6.7-1ubuntu0.1~esm1
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
php-league-commonmark→1.6.7-1ubuntu0.1~esm1apt_upgrade_esmFixed at 1.6.7-1ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
sudo pro attach <token> sudo apt-get update sudo apt-get install --only-upgrade -y php-league-commonmark=1.6.7-1ubuntu0.1~esm1
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
Ubuntu noble
php-league-commonmark→2.4.2-2ubuntu0.1~esm1apt_upgrade_esmFixed at 2.4.2-2ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
sudo pro attach <token> sudo apt-get update sudo apt-get install --only-upgrade -y php-league-commonmark=2.4.2-2ubuntu0.1~esm1
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
php-league-commonmark→2.4.2-2ubuntu0.1~esm1apt_upgrade_esmFixed at 2.4.2-2ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
sudo pro attach <token> sudo apt-get update sudo apt-get install --only-upgrade -y php-league-commonmark=2.4.2-2ubuntu0.1~esm1
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
Are YOU affected by USN-8194-1?
5-second check on your actual server. Reads /etc/os-release, uname -r, and dpkg-query; matches against the live USN + Debian Security Tracker feeds; tells you whether USN-8194-1 (and any other live CVE) applies. Anonymous, no signup.
curl https://mindsparkstack.com/scan.sh | bash
StackPatch runs this match against YOUR installed packages every hour
Free 1-server / $99 lifetime founder seat (50 only) / $19+/mo monthly. Indie pricing.