Nixpkgs security tracker

Untriaged

Permalink CVE-2026-33347

created 3 weeks, 4 days ago

league/commonmark has an embed extension allowed_domains bypass

league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like youtube.com.evil passes the allowlist check when youtube.com is an allowed domain. This issue has been patched in version 2.8.2.

References

https://github.com/thephpleague/commonmark/security/advisories/GHSA-hh8v-hgvp-g3f5 x_refsource_CONFIRM
https://github.com/thephpleague/commonmark/commit/59fb075d2101740c337c7216e3f32b36c204218b x_refsource_MISC
https://github.com/thephpleague/commonmark/releases/tag/2.8.2 x_refsource_MISC

Affected products

commonmark

==>= 2.3.0, < 2.8.2

Matching in nixpkgs

pkgs.guile-commonmark

Implementation of CommonMark for Guile

nixos-unstable 2020-04-30
- nixpkgs-unstable 2020-04-30
- nixos-unstable-small 2020-04-30
nixos-25.11 2020-04-30
- nixos-25.11-small 2020-04-30
- nixpkgs-25.11-darwin 2020-04-30

pkgs.rubyPackages.commonmarker

None

nixos-unstable 0.23.12
- nixpkgs-unstable 0.23.12
- nixos-unstable-small 0.23.12
nixos-25.11 0.23.12
- nixos-25.11-small 0.23.12
- nixpkgs-25.11-darwin 0.23.12

pkgs.haskellPackages.commonmark

Pure Haskell commonmark parser

nixos-unstable 0.2.6.1
- nixpkgs-unstable 0.2.6.1
- nixos-unstable-small 0.2.6.1
nixos-25.11 0.2.6.1
- nixos-25.11-small 0.2.6.1
- nixpkgs-25.11-darwin 0.2.6.1

pkgs.python312Packages.commonmark

Python CommonMark parser

nixos-25.11 0.9.1
- nixos-25.11-small 0.9.1
- nixpkgs-25.11-darwin 0.9.1

pkgs.python313Packages.commonmark

Python CommonMark parser

nixos-unstable 0.9.1
- nixpkgs-unstable 0.9.1
- nixos-unstable-small 0.9.1
nixos-25.11 0.9.1
- nixos-25.11-small 0.9.1
- nixpkgs-25.11-darwin 0.9.1

pkgs.python314Packages.commonmark

Python CommonMark parser

nixos-unstable 0.9.1
- nixpkgs-unstable 0.9.1
- nixos-unstable-small 0.9.1

pkgs.rubyPackages_3_1.commonmarker

None

pkgs.rubyPackages_3_2.commonmarker

None

pkgs.rubyPackages_3_3.commonmarker

None

nixos-unstable 0.23.12
- nixpkgs-unstable 0.23.12
- nixos-unstable-small 0.23.12
nixos-25.11 0.23.12
- nixos-25.11-small 0.23.12
- nixpkgs-25.11-darwin 0.23.12

pkgs.rubyPackages_3_4.commonmarker

None

nixos-unstable 0.23.12
- nixpkgs-unstable 0.23.12
- nixos-unstable-small 0.23.12
nixos-25.11 0.23.12
- nixos-25.11-small 0.23.12
- nixpkgs-25.11-darwin 0.23.12

pkgs.rubyPackages_4_0.commonmarker

None

nixos-unstable 0.23.12
- nixpkgs-unstable 0.23.12
- nixos-unstable-small 0.23.12
nixos-25.11 0.23.12
- nixos-25.11-small 0.23.12
- nixpkgs-25.11-darwin 0.23.12

pkgs.haskellPackages.commonmark-cli

Command-line commonmark converter and highlighter

nixos-unstable 0.2.1
- nixpkgs-unstable 0.2.1
- nixos-unstable-small 0.2.1
nixos-25.11 0.2.1
- nixos-25.11-small 0.2.1
- nixpkgs-25.11-darwin 0.2.1

pkgs.python312Packages.recommonmark

Docutils-compatibility bridge to CommonMark

nixos-25.11 0.7.1
- nixos-25.11-small 0.7.1
- nixpkgs-25.11-darwin 0.7.1

pkgs.python313Packages.recommonmark

Docutils-compatibility bridge to CommonMark

nixos-unstable 0.7.1
- nixpkgs-unstable 0.7.1
- nixos-unstable-small 0.7.1
nixos-25.11 0.7.1
- nixos-25.11-small 0.7.1
- nixpkgs-25.11-darwin 0.7.1

pkgs.python314Packages.recommonmark

Docutils-compatibility bridge to CommonMark

nixos-unstable 0.7.1
- nixpkgs-unstable 0.7.1
- nixos-unstable-small 0.7.1

pkgs.rubyPackages.jekyll-commonmark

None

nixos-unstable 1.4.0
- nixpkgs-unstable 1.4.0
- nixos-unstable-small 1.4.0
nixos-25.11 1.4.0
- nixos-25.11-small 1.4.0
- nixpkgs-25.11-darwin 1.4.0

pkgs.tests.nixosOptionsDoc.commonMark

None

nixos-unstable -
- nixpkgs-unstable
- nixos-unstable-small
nixos-25.11 -
- nixos-25.11-small
- nixpkgs-25.11-darwin

pkgs.haskellPackages.commonmark-pandoc

Bridge between commonmark and pandoc AST

nixos-unstable 0.2.3
- nixpkgs-unstable 0.2.3
- nixos-unstable-small 0.2.3
nixos-25.11 0.2.3
- nixos-25.11-small 0.2.3
- nixpkgs-25.11-darwin 0.2.3

pkgs.haskellPackages.commonmark-simple

Simple interface to commonmark-hs

nixos-unstable 0.2.0.0
- nixpkgs-unstable 0.2.0.0
- nixos-unstable-small 0.2.0.0
nixos-25.11 0.2.0.0
- nixos-25.11-small 0.2.0.0
- nixpkgs-25.11-darwin 0.2.0.0

pkgs.haskellPackages.commonmark-initial

An initial encoding of the CommonMark language

nixos-unstable 0.1.0.0
- nixpkgs-unstable 0.1.0.0
- nixos-unstable-small 0.1.0.0
nixos-25.11 0.1.0.0
- nixos-25.11-small 0.1.0.0
- nixpkgs-25.11-darwin 0.1.0.0

pkgs.rubyPackages_3_1.jekyll-commonmark

None

pkgs.rubyPackages_3_2.jekyll-commonmark

None

pkgs.rubyPackages_3_3.jekyll-commonmark

None

nixos-unstable 1.4.0
- nixpkgs-unstable 1.4.0
- nixos-unstable-small 1.4.0
nixos-25.11 1.4.0
- nixos-25.11-small 1.4.0
- nixpkgs-25.11-darwin 1.4.0

pkgs.rubyPackages_3_4.jekyll-commonmark

None

nixos-unstable 1.4.0
- nixpkgs-unstable 1.4.0
- nixos-unstable-small 1.4.0
nixos-25.11 1.4.0
- nixos-25.11-small 1.4.0
- nixpkgs-25.11-darwin 1.4.0

pkgs.rubyPackages_4_0.jekyll-commonmark

None

nixos-unstable 1.4.0
- nixpkgs-unstable 1.4.0
- nixos-unstable-small 1.4.0
nixos-25.11 1.4.0
- nixos-25.11-small 1.4.0
- nixpkgs-25.11-darwin 1.4.0

pkgs.haskellPackages.commonmark-wikilink

Obsidian-friendly commonmark wikilink parser

nixos-unstable 0.2.0.0
- nixpkgs-unstable 0.2.0.0
- nixos-unstable-small 0.2.0.0
nixos-25.11 0.2.0.0
- nixos-25.11-small 0.2.0.0
- nixpkgs-25.11-darwin 0.2.0.0

pkgs.haskellPackages.commonmark-extensions

Pure Haskell commonmark parser

nixos-unstable 0.2.6
- nixpkgs-unstable 0.2.6
- nixos-unstable-small 0.2.6
nixos-25.11 0.2.6
- nixos-25.11-small 0.2.6
- nixpkgs-25.11-darwin 0.2.6

pkgs.rubyPackages.jekyll-commonmark-ghpages

None

nixos-unstable 0.5.1
- nixpkgs-unstable 0.5.1
- nixos-unstable-small 0.5.1
nixos-25.11 0.5.1
- nixos-25.11-small 0.5.1
- nixpkgs-25.11-darwin 0.5.1

pkgs.rubyPackages_3_1.jekyll-commonmark-ghpages

None

pkgs.rubyPackages_3_2.jekyll-commonmark-ghpages

None

pkgs.rubyPackages_3_3.jekyll-commonmark-ghpages

None

nixos-unstable 0.5.1
- nixpkgs-unstable 0.5.1
- nixos-unstable-small 0.5.1
nixos-25.11 0.5.1
- nixos-25.11-small 0.5.1
- nixpkgs-25.11-darwin 0.5.1

pkgs.rubyPackages_3_4.jekyll-commonmark-ghpages

None

nixos-unstable 0.5.1
- nixpkgs-unstable 0.5.1
- nixos-unstable-small 0.5.1
nixos-25.11 0.5.1
- nixos-25.11-small 0.5.1
- nixpkgs-25.11-darwin 0.5.1

pkgs.rubyPackages_4_0.jekyll-commonmark-ghpages

None

nixos-unstable 0.5.1
- nixpkgs-unstable 0.5.1
- nixos-unstable-small 0.5.1
nixos-25.11 0.5.1
- nixos-25.11-small 0.5.1
- nixpkgs-25.11-darwin 0.5.1

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.guile-commonmark

pkgs.rubyPackages.commonmarker

pkgs.haskellPackages.commonmark

pkgs.python312Packages.commonmark

pkgs.python313Packages.commonmark

pkgs.python314Packages.commonmark

pkgs.rubyPackages_3_1.commonmarker

pkgs.rubyPackages_3_2.commonmarker

pkgs.rubyPackages_3_3.commonmarker

pkgs.rubyPackages_3_4.commonmarker

pkgs.rubyPackages_4_0.commonmarker

pkgs.haskellPackages.commonmark-cli

pkgs.python312Packages.recommonmark

pkgs.python313Packages.recommonmark

pkgs.python314Packages.recommonmark

pkgs.rubyPackages.jekyll-commonmark

pkgs.tests.nixosOptionsDoc.commonMark

pkgs.haskellPackages.commonmark-pandoc

pkgs.haskellPackages.commonmark-simple

pkgs.haskellPackages.commonmark-initial

pkgs.rubyPackages_3_1.jekyll-commonmark

pkgs.rubyPackages_3_2.jekyll-commonmark

pkgs.rubyPackages_3_3.jekyll-commonmark

pkgs.rubyPackages_3_4.jekyll-commonmark

pkgs.rubyPackages_4_0.jekyll-commonmark

pkgs.haskellPackages.commonmark-wikilink

pkgs.haskellPackages.commonmark-extensions

pkgs.rubyPackages.jekyll-commonmark-ghpages

pkgs.rubyPackages_3_1.jekyll-commonmark-ghpages

pkgs.rubyPackages_3_2.jekyll-commonmark-ghpages

pkgs.rubyPackages_3_3.jekyll-commonmark-ghpages

pkgs.rubyPackages_3_4.jekyll-commonmark-ghpages

pkgs.rubyPackages_4_0.jekyll-commonmark-ghpages